Ransomware Attacks Surge in Retail: 2025 Cybercrime Trends

Edward Zhou
Edward Zhou

CEO & Founder

 
July 17, 2025 4 min read

Retail Ransomware Attacks Jump 58% Globally in Q2 2025

Publicly disclosed ransomware attacks targeting the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms heavily impacted, according to data from BlackFog. High-profile attacks reported in April-June 2025 included incidents affecting Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the Scattered Spider threat actor. These incidents led to significant operational disruptions and financial costs for the victims.

Four individuals were arrested by UK law enforcement on July 10, suspected of involvement in these attacks. Other notable brands affected include Dior, Adidas, and Louis Vuitton.

The BlackFog report released on July 16 indicated that complex supply chains in the retail sector make these organizations prime targets for ransomware groups. The urgent need to restore services often increases the likelihood of ransom payment, making retailers attractive targets for cybercriminals.

Source: BlackFog

Ransomware Attacks Rise 113% Year-Over-Year

The report also highlighted a 63% increase in disclosed ransomware incidents in Q2 2025 compared to the same period in 2024, with 276 confirmed attacks globally. Healthcare was the most targeted industry, followed by government and services. Data exfiltration was observed in 95% of disclosed attacks.

The report identified 53 active ransomware groups in Q2, with Qilin responsible for the highest proportion of attacks, totaling 28. Other notable groups included INC Ransom and Akira.

Most Ransomware Attacks Not Publicly Reported

A significant gap in visibility was noted, with 1,446 ransomware attacks not publicly disclosed during the period. Qilin was the most active group for undisclosed incidents, comprising 15% of the total. The services and manufacturing industries had the highest proportions of undisclosed incidents.

Source: BlackFog

Cybercrime Statistics 2025: Rising AI Threats & Global Impact

In 2025, the global cost of cybercrime is projected to reach $10.29 trillion. This figure is expected to climb further, reaching $11.36 trillion by 2026. By 2028, the estimated cost could soar to $13.82 trillion. The global volume of reported cybercrimes is projected to surpass 7.8 million cases by the end of 2025, with India, Brazil, and the United States leading in reported cases.

The most common types of cybercrime in 2025 include phishing, business email compromise (BEC) scams, and ransomware. Phishing accounted for 39% of all attacks, while ransomware represented 27%. The healthcare sector suffers the highest average cost per data breach at $9.77 million.

Ransomware Attacks Dip in May Despite Persistent Retail Targeting

Despite a decline in overall ransomware attacks for the third consecutive month in May 2025, the retail sector continues to face persistent threats. NCC Group recorded 393 attacks in May, a 6% decrease from April, with notable incidents affecting retailers like M&S and The Co-op.

Top 10 most targeted sectors in May 2025. Source: NCC Group
Safepay emerged as the most active ransomware group in May, responsible for 70 attacks. The group is suspected to be a rebranding of several other known groups. North America accounted for 50% of ransomware attacks in May, with Europe and Asia following.

How Cybersecurity Threats Are Targeting Retail Network Infrastructures

Retailers face significant cybersecurity challenges as they integrate advanced systems like cloud computing and IoT devices. Legacy hardware poses risks due to outdated security features, leading to potential exploits. Cyber incidents can have severe financial implications, as the average data breach cost in retail continues to escalate.

How cybersecurity threats are targeting retail network infrastructures
Retailers must adopt proactive strategies, including implementing a Zero Trust architecture, regular updates on hardware and software, and employee training to mitigate risks. Collaboration within the industry and the use of advanced technologies are also essential to enhance cybersecurity resilience.

UK Authorities Arrest Four People in Probe of Retail Cyberattack Spree

Four individuals were arrested in the U.K. on July 10 in connection with a National Crime Agency investigation into a series of cyberattacks on retailers including Harrods, M&S, and The Co-op. The suspects face charges related to cybercrime and are believed to be affiliated with the Scattered Spider group.

Harrods is one of three UK-based retail companies responding to a spree of attacks beginning in April 2025.
The investigation remains a high priority for authorities as they work with multiple agencies to address the ongoing threat. The aggressive tactics used by the Scattered Spider group highlight the need for enhanced cybersecurity measures across sectors.

Explore our services or contact us at undefined to safeguard your operations against these evolving threats.

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article