Publicly disclosed ransomware attacks targeting the retail sector globally have surged by 58% in Q2 2025 compared to Q1, with UK-based firms bearing the brunt of this targeting, according to new data from BlackFog.
The findings follow a spate of high-profile retailers reporting attacks during April-June 2025.
This includes the trio of ransomware attacks on UK brands Marks & Spencer (M&S), The Co-op and Harrods in late April, which have been linked to the Scattered Spider threat actor.
These incidents have caused significant operational disruption and financial costs for the victims.
On July 10, four individuals were arrested by UK law enforcement on suspicion of involvement in the attacks.
Other notable retail brands impacted by cyber-incidents in the period include Dior, Adidas, Louis Vuitton, Cartier and Victoria’s Secret.
The BlackFog report, published on July 16, noted that the retail sector has become a prime target for ransomware groups as these organizations often have complex supply chains, meaning even short-term disruption and financial fallout.
“The urgency to restore services often translates into a higher likelihood of ransom payment – an attractive incentive for cybercriminals. Additionally, retail companies handle vast troves of customer data and payment information, making them prime targets from both extortion and data theft perspectives,” the researchers noted.
Ransomware Attacks Rise 113% Year-Over-Year
The new report highlighted a 63% increase in disclosed ransomware incidents in Q2 2025 compared to the same period in 2024, with 276 confirmed attacks globally.
April and May recorded 89 and 91 attacks, respectively, the highest totals observed for those individual months since 2020.
Data exfiltration, in addition to or instead of data encryption, occurred in 95% of disclosed attacks in the quarter.
Healthcare was the most targeted industry with 52 attacks (18.8%), followed by government with 45 attacks (16.3%) and services with 33 attacks (12%).
The researchers observed 53 active ransomware groups in Q2. Qilin was responsible for the highest proportion of disclosed attacks with 28, 10% of the total.
The next most active group was INC Ransom (12 attacks), Interlock (nine attacks), Akira (seven attacks) and Medusa (seven attacks).
Over a third (35%) of attacks remain unclaimed by ransomware groups.
Ransomware attacks were observed impacting organizations in 88 countries around the world, including smaller nations such as Tonga, Haiti, Fiji and Barbados.
Most Ransomware Attacks Not Publicly Reported
The researchers observed that 1446 ransomware attacks were not publicly disclosed during the period, a 19% increase compared to the same quarter in 2024.
This meant that for every 100 undisclosed incidents, only about 19 were publicly acknowledged, highlighting a substantial gap in visibility.
Qilin was the most active group for undisclosed incidents, making up 15% of the total.
The industry with the highest proportion of undisclosed ransomware incidents was services (23%) followed manufacturing (21%).
On July 8, M&S chairman Archie Norman testified to the UK Parliament that he was aware that a large number of attacks do not get reported in the UK, he claimed to be aware of unreported attacks on two large firms in the past four months.
All recorded ransomware events included in the BlackFog report were based upon data exfiltration from the device endpoint across all major platforms.
