Ransomware hits the high street: What retailers must do now

Retailers, particularly those with expansive supply chains, high volumes of customer data, and multiple operating channels and connected technologies, have become attractive targets for cyber criminals.

The UK’s National Cyber Security Centre (NCSC) has confirmed that it continues to work closely with the organisations impacted in the latest cyber attacks. Moreover, the NCSC has previously stated that ransomware is the most acute cyber threat facing UK organisations and businesses – a threat exacerbated by the early adoption of AI by criminal groups. Ransomware groups are evolving their tactics faster than many organisations can respond, using automation, phishing, and remote access vulnerabilities to penetrate systems and lock up critical business functions.

Some experts, including former NCSC Chief Ciaran Martin, have proposed banning ransom payments entirely – the logic being that if criminals are denied a payday, they’ll move on. The UK government is considering a ban on ransomware payments for regulated critical national infrastructure and the public sector. While the intention is right, the reality is more complex. Criminalising ransom payments entirely risks pushing victims into secrecy, limiting engagement with law enforcement, and driving payments through offshore or cryptocurrency-based routes that are difficult to track. Banning ransom payments for the public sector is likely to result in an increase in other sectors being targeted instead. Like traditional extortion, ransomware thrives where fear meets opacity.

Immediate actions for UK retailers

Retailers cannot afford to wait for legislation or regulation. The following are immediate, practical steps retail businesses can take to reduce their exposure and respond effectively:

• Isolate crown jewels: Identify and segment critical systems – such as payment processing, stock management, and customer databases – so an attacker gaining access to one does not automatically gain access to all.
• Test offline recovery: Ensure backups are not only taken regularly but tested and stored securely offline. Being able to restore systems without paying a ransom is essential.
• Deploy endpoint detection and response: This technology can spot unusual activity, such as encryption of files or unauthorised access, before full compromise occurs.
• Run tabletop exercises: Wargame a simulated ransomware attack with key leadership, IT, and communications teams. This will reveal gaps in response plans and build confidence in decision-making under pressure.
• Enforce strong third-party security reviews: Many ransomware incidents originate via suppliers. Insist on minimum cyber hygiene standards and regular testing from third-party vendors, particularly those with system access.
• Invest in your people: Develop strong cyber awareness and culture programmes. It is important to move beyond an annual tick-box exercise to a point where cyber security is ‘just what people do’. Employees are a brilliant resource to thwart incipient attacks, alert you to when something has gone wrong, and support you when it has.

Building long-term resilience through national strategy

Beyond immediate defences, the UK must pursue a ‘whole of society’ approach, as envisioned in the National Cyber Strategy. This requires trust, transparency, and collaboration between business, government, and law enforcement. Retailers must be seen – not just as targets but as partners in national cyber defence.

This means:

• Strengthening cyber hygiene and layered defences to reduce exposure: Effective security architectures make it harder for criminals to breach systems and lessen dependence on end-user vigilance.
• Investing in recovery planning: Organisations with rehearsed, resilient recovery capabilities are less reliant on criminals for data restoration. Ransom payments are no guarantee of success – recovery readiness is.
• Reporting attacks promptly and fully: Transparency supports intelligence-led disruption of ransomware networks and helps protect other organisations. Silence only benefits the attackers.

Tackling the underlying drivers of ransomware

Structural weaknesses must also be addressed. Too many retailers still rely on systems that are difficult to patch or secure, because they were not built with security in mind. The Cyber Resilience Act will, for example, ensure that manufacturers must deliver secure-by-design products in the future.

Cyber insurers must reassess their role too. While insurance can provide important financial support, policies that reimburse ransom payments may incentivise short-term fixes that prolong the broader problem. Regulators should explore international cooperation to limit such payouts and redirect investment toward resilience.

Hardening the cyber security ground will avoid secrecy and strengthen resilience

The attacks on M&S, the Co-op, and Harrods are not just technical incidents – they are signals that ransomware is evolving into a systemic threat to the UK economy. Criminalising ransom payments may provide moral clarity, but it risks driving the problem underground. Careful consideration and robust debate are required. In the meantime, retailers must act to harden their environments, test their resilience, and engage openly with law enforcement. The rest of society – from IT suppliers to insurers and regulators – must follow suit.