Ransomware Is a Real and Growing Threat for UK Retailers

Ransomware gangs netted nearly $1 billion in payouts worldwide in 2024. While this type of cyberattack continues to be a major problem for organizations around the world, retailers often misunderstand the risk these attacks pose to their business.  

The myth that attackers don’t care about retailers persists across the industry in the UK, with many executives falsely believing that they aren’t a tempting target. This way of thinking may be shaped by the organization’s attitudes towards their own operations and functions.

For instance, if an organization does not interface with critical infrastructure or deal with trade secrets or sensitive contracts, then they may assume that their data isn’t valuable compared to other entities. They may believe they are not a prime target for cyberattacks. This notion is especially prevalent among smaller retailers who often believe they are too small a fish for cybercriminals to target. 

The reality couldn’t be further from the truth, and recent data reveals that ransomware groups are increasingly targeting UK retailers of various sizes.  

UK Retailer Ransomware Attacks Increasing 

Retail organizations—including big box stores, regional chains, and small specialty retailers are increasingly under attack. In the first quarter of 2025, according to our analysis, there was an 85% increase in ransomware attacks against retailers in the United Kingdom compared to the same period last year. The first quarter of 2025 also had a higher total of victims compared to previous quarters in 2024. Similar trends are also occurring globally. Ransomware attacks on retail organizations during the first four months of 2025 jumped 70% compared to the same period in 2024. 

Ransomware groups that have attacked UK retailers in the first quarter of 2025 include Clop, Akira, DragonForce, and others.  

No target is too small or too insignificant, regardless of size, scope, or market segment. Retailers, in particular, face a greater risk as they often lack mature information security programs, managed with the level of urgency and care typically seen in the technology and finance sectors.  

The financial and reputational damage from a successful attack, whether due to data exposure or service disruption, can be long-lasting, even if no ransom is paid. Threat actors often continue to exchange data and intelligence on victim organizations, creating scenarios that could lead to further damage to these organizations in the future. 

Evolving Threat Landscape 

The operational efficiency of the Ransomware as a Service (RaaS) model, and by extension, the demand for and integration of affiliate groups, fosters opportunities for threat actors to grow their forces and conduct more attacks against retailers. 

While many areas in the dark web ecosystem are gated, with the help of a Bitcoin wallet, an anonymous email, and a referral from an insider, a threat actor can purchase malicious code, customize it, and launch ransomware attacks at scale. Alternatively, a threat actor may leverage their own advanced code and borrow infrastructure to carry out attacks.  

Encryptors are just one tool available for a threat actor to use against an organization, as they block access to the victim’s own systems and data. Increasingly, threat actors are carrying out their objectives and minimizing their chances of detection by utilizing Living off the Land (LOTL) tactics.  LOTL techniques allow the threat actor to exploit trusted tools in the victim’s environment so they can more easily move through the network, evade detection, and achieve goals such as data exfiltration and service disruption. 

Understanding Threat Actor Attack Strategy 

Ransom demands are just one variable that influences a threat actor’s target and attack strategy. Disrupting a regional transportation network or stealing the client list of a multinational bank can justify a much higher ransom than an attack against a retail network. However, there are additional considerations in play.  

Large organizations invest extensive resources in hardening their cyber defenses and reducing their attack surface. In comparison, retailers are sometimes a more tempting target to threat actors, likely due to perceived weaknesses in their cybersecurity strategy and the enforcement of their security program at large.  

Retailers often have smaller and overwhelmed cybersecurity teams. Additionally, the retail attack surface expands well beyond their environment due to interconnected supply chains, customer self-service portals, and a reliance on service providers for delivery, marketing, and other business functions. 

A Viable Strategy Centered Around Defense in Depth 

With ransomware attacks against UK retailers on the rise, how can retailers mitigate the risk of a successful attack? A key approach involves deploying a defense-in-depth, multi-layered security architecture. This time-tested approach strengthens defenses throughout the entire attack lifecycle, from prevention and protection to detection and response. 

1. Prevent

One of the most effective ways to stop a ransomware attack is to implement an approach that emphasizes not only reactive security, but also proactive security. This includes leveraging capabilities that identify systems in need of patching and implementing updates or fixes to remediate them before attackers can exploit them.  

In addition, use a modern solution to shrink your attack surface. Many organizations rely on solutions that are static in nature, characterized by static rules and policy enforcement. As a result, these organizations may miss signs of threat group activities that are not well-known or not yet reported.

However, an organization that is equipped with the ability to map and understand their organization's ecosystem and the risks specific to each user-asset pair has more to gain in the fight against threat actors. This approach also reduces the number of threat actor pathways into your environment.  
 
Retailers should first assess their IT environment to understand where assets are deployed and how they are utilized to support business operations. Where are your point-of-sale systems? Who has access to them? What would happen if they went down? What other assets are just as critical to sales, customer experience, and loyalty? Work with stakeholders to understand the risk associated with these assets and develop a roadmap to prioritize steps to increase the organization’s security posture.

2. Protect

Improving basic cybersecurity hygiene, to block threats at the point of entry, is another effective way for retailers to stop ransomware attacks. Devices, applications, datastores, software-as-a-service (SaaS) platforms, and other endpoints should be hardened.  

Here are two essential security measures that fall under the category of protect that are sometimes neglected:   

• Implementing MFA (multi-factor authentication) to secure authentication
• Enforcing network segmentation to keep valuable internal systems isolated from those that may interact with public services or vulnerable or outdated components 

While attack surfaces that expand beyond the primary environment may make this task appear overwhelming, retailers don’t have to start from scratch. Organizations such as the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) provide cybersecurity frameworks like NIST CSF 2.0 and ISO 27001. Following these frameworks allows organizations to strategically design and implement effective security controls. In addition, enforcing a Zero Trust cybersecurity strategy can help organizations secure assets, protecting systems against unauthorized access and authentication.

3. Leverage Advanced Threat Intelligence

Threat intelligence is a vital part of security that enhances incident response and investigation processes. Threat intelligence solutions such as IntelliZone equip organizations with the means to consolidate all of the knowledge Bitdefender has gathered on cyberthreats and associated threat actors into a single view for security analysts. The solution’s functionalities also support comprehensive report and analysis actions.

4. Detect and Respond

A breach can happen at any time, even with efforts taken to combine both prevention and protection strategies to safeguard systems. Ransomware groups often gain access to retail systems by tricking users into interacting with them or downloading a suspicious file. Human error is not an aspect that can be removed from an organization’s risk profile. 

It is imperative for UK retailers to detect an attack in a prompt manner and execute appropriate countermeasures to eradicate the threat before additional damage is done. Retailers can establish a detection capability through an Endpoint Detection and Response (EDR) solution, an Extended Detection and Response (XDR) platform, or a Managed Detection and Response (MDR) service. The tool that is most fitting for an organization varies based on their needs, internal resources, and risk tolerance. 

These detection and response tools can minimize the time attackers spend undetected within retailers’ systems, and they’re important to combat RaaS affiliates employing similar tactics. 

Capabilities that support rapid response, an essential part of incident management, also aid organizations in minimizing the impact of attacks quickly and effectively while offering ways for the organization to perform remediation actions and seek additional support. By identifying and stopping attackers before they can launch their final attack, these solutions can significantly reduce the risk of a disruptive and costly ransomware attack. 

Retail: A Real Target for Ransomware Groups 

Ransomware isn’t just a problem for organizations in high-risk industries. Threat actors are increasingly targeting UK-based retailers and an 85% increase in ransomware attacks against retail organizations was observed during the first few months of 2025. Now is the time for retail organizations to take a hard look at their cybersecurity posture, identify the security risks that exist, and work to prioritize and close them.