Black Friday – now almost a whole month long – is one of the busiest trading periods for retailers across South Africa. Online traffic spikes, extended trading hours, promotional campaigns and increased digital payments all create valuable revenue opportunities – but they also create a perfect window for cyber criminals.
The Sophos State of Ransomware in Retail 2025 report shows that retail environments remain prime targets for attackers, not just because of their scale but because of operational pressures that expose security weaknesses.
According to the research, 30% of ransomware attacks in retail start with exploited vulnerabilities, making it the leading technical root cause for the third consecutive year. Meanwhile, unknown security gaps were named by 46% of retailers as the reason they fell victim – the highest rate across all surveyed industries.
With Black Friday, leading into the festive season shopping, demanding rapid execution and constant system uptime, retailers often operate in a mode where security gaps are easier for attackers to exploit.
Ransomware now impacts both revenue and resilience
The report also reveals important shifts both in how ransomware affects retailers and how they respond:
- Data encryption has dropped to its lowest in five years, with 48% of attacks resulting in encryption, down from 71% in 2023.
- However, 29% of retailers who experienced encryption also suffered data theft, proving that double-extortion remains a critical threat.
- The median ransom demand has doubled to $2 million, driven by a significant rise in demands of $5 million or more.
- Despite these aggressive demands, the median ransom payment increased only slightly to $1 million, suggesting growing negotiation or resistance.
Retailers might be becoming more resilient, but attackers are becoming more strategic – particularly during predictable high-volume events like Black Friday.
Why Black Friday heightens exposure
1. High transaction loads mask abnormal activity
With massive increases in traffic, unusual behaviour – such as credential-stuffing, lateral movement or data exfiltration – can blend into the noise.
2. Temporary staff and accelerated onboarding
Seasonal workers often use shared credentials or unfamiliar systems, increasing the risk of misconfigurations or user error.
3. Patch freezing
Many retailers impose a code or systems freeze from mid-November onwards to avoid disruption. Cyber criminals know this.
4. Pressure on overstretched IT teams
The report shows:
- 45% of retail IT teams said “lack of expertise” contributed to the attack.
- 43% reported increased workload and stress.
What retailers can do now: Black Friday defence essentials
1. Close known and unknown gaps with MDR
Ransomware trends show one reality: early detection is the difference between disruption and disaster. Around-the-clock monitoring through managed detection and response (MDR) dramatically improves the chance of stopping attackers before encryption or theft occurs.
2. Isolate critical systems
POS, inventory, e-commerce and back-office systems should never be exposed via flat networks.
3. Harden staff access
Move away from shared credentials and enforce multi-factor authentication (MFA) everywhere – not just for remote access.
4. Review backup strategies
Although 62% of retailers successfully used backups to recover data, usage is at its lowest level in four years. This gap should be addressed urgently ahead of Black Friday.
Plan for a ransomware scenario
Well-rehearsed response playbooks help limit both financial loss and customer-facing disruption.
Black Friday has changed – so must retail cyber strategy
These findings make it clear that retailers cannot rely on traditional, reactive security approaches – especially ahead of high-pressure trading periods like Black Friday. With ransom demands doubling to $2 million, extortion-only attacks rising sharply and 46% of breaches starting with unknown gaps, retailers must assume attackers are already looking for their weakest point. And with backup success at a four-year low, the operational fallout from an attack can be severe. Strengthening visibility, closing security gaps proactively and adopting continuous monitoring such as MDR are now essential steps to reduce pressure on IT teams and build resilience in one of the most targeted sectors.
Share