Cybercriminals are evolving their tactics, and retail organisations are facing a surge in targeted attacks designed to exploit digital infrastructure, customer data, and supply chain dependencies. The first half of 2025 has seen a marked rise in sophisticated threats that compromise cloud platforms, manipulate consumer trust, and apply pressure through multi-layered extortion. 

Quorum Cyber’s Relentless Threats: 2025 Mid-Year Global Cyber Risk Outlook Report offers retail leaders a strategic perspective on attacker behaviour, providing insights and defence strategies to help safeguard operations, customer relationships, and brand reputation. 

Why retail is a high-value target 

Retailers hold vast amounts of personal and payment data, operate across complex digital ecosystems, and rely heavily on cloud-based platforms and third-party vendors. The sector’s high transaction volume and seasonal peaks make it a prime target for ransomware, credential theft, and fraud. 

Despite improvements in cyber security posture, retail organisations remain vulnerable due to: 

• Distributed infrastructure and supply chains 

• High customer data volumes 

• Dependence on e-commerce platforms 

• Regulatory pressures around data protection. 

Attackers exploit both technical weaknesses and consumer-facing channels to maximise disruption and financial gain. 

Key threats shaping the retail risk landscape 

1. Cloud-Native Ransomware: Codefinger

In January 2025, Quorum Cyber identified Codefinger, a ransomware group abusing AWS features to encrypt cloud-stored retail data. By exploiting Server-Side Encryption with Customer-Provided Keys (SSE-C), attackers rendered data irrecoverable without the ransom key. 

Retail Impact: Cloud-native extortion threatens inventory systems, point of sale (POS) platforms, and customer databases. Strong cloud key management and encryption policy monitoring are essential.  

2. Resilient Infostealers: Acreed

Following the takedown of Lumma, Acreed emerged, targeting browser-stored credentials, payment data, and loyalty program access—frequent targets in retail environments. 

Retail Impact: Credential theft can lead to fraudulent purchases and account takeovers. Phishing-resistant MFA and dark web monitoring are critical. 

3. Nation-State and Criminal Convergence: Moonstone Sleet & Qilin

North Korea’s Moonstone Sleet deployed Qilin ransomware in attacks on software firms, showcasing the fusion of state and criminal capabilities. 

Retail Impact: Attribution challenges and legal risks escalate. Retailers must ensure incident response plans include legal consultation and threat actor profiling. 

4. Quadruple Extortion: Qilin’s Consumer Harassment

Qilin now includes regulatory complaints, customer intimidation, and reputational threats in its extortion playbook. 

Retail Impact: Attackers may contact customers directly using stolen PII, threatening trust and brand loyalty. Crisis communications and legal teams must be integrated into response planning. 

5. Ransomware Cartels & White-Label Services: DragonForce & RansomBay

Groups like DragonForce and RansomBay offer ‘rebrandable’ ransomware kits and support services, enabling widespread, decentralised attacks. 

Retail Impact: Increased attack volume and diversity. Retailers must adopt threat intelligence-led defence and prepare for attribution complexity. 

6. AI-Driven Extortion: GLOBAL Ransomware

The GLOBAL RaaS platform introduced AI-powered negotiation bots, automating and scaling extortion tactics. 

Retail Impact: AI-driven pressure tactics reduce negotiation windows. Retail teams must train for psychological resilience and rapid intelligence sharing. 

Financial impact and sector trends 

Quorum Cyber’s data shows a 53% increase in initial ransomware demands between Q1 2022 and Q1 2025. Retail organisations often face demands tailored to their customer base, brand visibility, and seasonal revenue cycles. 

Attackers increasingly price demands based on perceived ability to pay and the reputational risk of downtime or data exposure. 

Checklist for retail security leaders 

1. Harden Cloud Storage & Key Management 

• Disable SSE-C unless strictly necessary 

• Monitor changes to encryption policies and access controls

2. Enhance Staff Awareness 

Train employees on social engineering and fake job offer scams 

• Encourage prompt reporting of suspicious activity

3. Deploy Phishing-Resistant MFA 

Use FIDO2 keys or device-bound passkeys 

• Avoid SMS/app-based OTPs 

4. Implement Conditional Access Policies 

Assess identity, device, and location dynamically 

• Enforce frequent MFA refresh intervals 

5. Monitor for Credential Exposure 

Continuously scan for leaked credentials and brand impersonation 

• Rotate credentials and assess exposure paths 

6. Prepare for Multi-Vector Extortion 

Integrate legal, PR, and technical teams into response playbooks 

• Simulate scenarios involving customer harassment and regulatory complaints 

Intelligence-led defence for retail 

Retail security leaders face a unique challenge: protecting customer trust and operational continuity in a threat landscape shaped by professionalised cybercrime. The insights in this report support strategic decision-making, helping organisations anticipate attacker behaviour, strengthen resilience, and maintain brand integrity. Read the full report: Relentless Threats: 2025 Mid-Year Global Cyber Risk Outlook.