01 | RANSOMWARE TRENDS
Wholesale & Retail Ransomware Victims: Who Is Targeted and How Attackers Get In
By examining past ransomware attacks over the last year, we can understand the attacker's playbook.
This analysis of 636 publicly disclosed victims in the Retail and Wholesale sectors establishes not only who is being targeted but, more importantly, how attackers are gaining initial access, setting the stage for the specific vulnerabilities we should be watching for today.
The primary takeaway from this chapter is that attackers employ two distinct, high-impact strategies across the combined sector: 'Volume Game' against Wholesale and 'Big Game Hunting' against Retail, with credential theft fueling both approaches.
We’ll look at:
Ransomware Data
Attacker Strategies
The Credential Crisis
Top Threat Actors
Wholesale & Retail Ransomware Data
The Wholesale sector is now in the top tier of ransomware targets. Jumping from the 12th position in 2024 to rank 5 in 2025, the industry has seen one of the sharpest increases in attack volume this year. Learn more in Black Kite's 2025 Ransomware Report: How Ransomware Wars Threaten Third-Party Cyber Ecosystems.
Ransomware Victims: Wholesale vs. Retail
Time Scope: October 31, 2024 - October 31, 2025. Total ransomware victims across industries: 6,793.
The Wholesale sector is now in the top tier of ransomware targets. Jumping from the 12th position in 2024 to rank 5 in 2025, the industry has seen one of the sharpest increases in attack volume this year. (Learn more in Black Kite's 2025 Ransomware Report: How Ransomware Wars Threaten Third-Party Cyber Ecosystems.)
Wholesale vs Retail Ransomware Victims by Country
Wholesale Ransomware Victims by Subindustry
Retail Ransomware Victims by Subindustry
Attacker Strategies: Volume vs. Value
The analysis of victim revenue distribution reveals a clear divergence in threat actor strategy, confirming that while the sectors are combined, they are exploited differently.
Wholesale: The Volume Game
The Wholesale sector faced a significantly higher volume of attacks (400 victims) compared to Retail (236 victims). Attackers in this sector concentrate their efforts on mid-market firms, leveraging automated, low-effort tactics for rapid returns.
Wholesale Ransomware Victims by Revenue
Note: Undisclosed revenue excluded.
157 of 400 total Wholesale victims (nearly 40%) had revenues in the mid-market range of $20M–$100M.
This proves the Wholesale sector is the primary target for a 'Volume Game.' Attackers prioritize high-frequency, low-effort ransomware deployment against a larger number of mid-sized firms to maximize overall victim count and exploit the industry's volume dynamics. These firms often have less mature security programs, making them the path of least resistance.
Retail: Big Game Hunting
In contrast, the Retail sector, despite having fewer total victims, was subjected to more strategic and lucrative attacks concentrated on major enterprises.
Retail Ransomware Victims by Revenue
Note: Undisclosed revenue excluded.
41 of 236 Retail ransomware victims had revenue over $1 Billion.
Retail attackers are 'Big Game Hunting,' focusing on the largest enterprises for high-value data extortion and massive ransom payouts. This reflects the higher potential financial impact and access to sensitive consumer data (PII) that a successful attack on a major Retailer provides.
Putting it all together:
In Wholesale, criminals are playing a 'volume game,' focusing heavily on mid-market companies with $20M–$100M in revenue.
In contrast, Retail attackers are 'big game hunting,' with a significant portion of victims boasting revenues over $1B.
While wholesalers face frequent, automated attacks, major Retailers are being specifically targeted for high-value data extortion.
The Credential Crisis: Initial Access
The analysis of the victims' security profiles at the time of the attack reveals that the most effective vector is not breaching the network perimeter, but bypassing it entirely using stolen credentials. The problem of unauthorized initial access is twofold: widespread credential leaks and highly actionable stealer logs.
The Prevalence of Leaked Credentials
Leaked credential data refers to usernames and passwords associated with corporate employees that have been found in publicly available dark web sources, third-party breaches, or credential stuffing lists. While often older than Stealer Logs (explained below), this data provides a low-cost, high-volume source of entry attempts. It exposes a fundamental first-party failure in credential management among the victims.
Ransomware Victims with Leaked Credential Data: Wholesale vs. Retail
162 of 400 (40.5%) of Wholesale victims and 117 of 236 (49.6%) of Retail victims had credentials publicly exposed.
This demonstrates a fundamental, pre-existing vulnerability in identity security across the entire victim pool. This level of exposure provides threat actors with readily available initial access points, effectively negating the value of many perimeter defenses.
The High-Value Threat: Stealer Logs
Stealer Logs represent a more immediate, higher-priority threat to organizations than generic Leaked Credentials, due to the freshness and completeness of the data they contain.
The concept of the "Stealer Log" is paramount to understanding the risk. A Stealer Log is a compressed file created by information-stealer malware that secretly harvests critical data from an employee's browser, including:
Passwords
Usernames
Session Tokens
Cookies
Hackers purchase these fresh logs on the dark web. They use the stolen session tokens and credentials to gain immediate unauthorized access to corporate systems (VPNs, cloud portals), often circumventing Multi-Factor Authentication (MFA) entirely. This method bypasses perimeter defenses and provides the initial access required for follow-on attacks like data theft or ransomware deployment.
The victim data clearly shows Retail's severe exposure to this risk:
Ransomware Victims With Stealer Logs: Wholesale vs. Retail
Retail victims were almost twice as likely to have data compromised via stealer logs compared to Wholesale victims: 138 of 236 (58.5%) vs. 120 of 400 (30.0%)
This establishes credential theft as a preferred, highly successful entry vector for attacks against the Retail sector specifically. This vulnerability is the direct entry point exploited by identity-based extortion groups.
Security Posture of Victims (RSI)
The Ransomware Susceptibility Index® (RSI™) reflects the likelihood of an organization experiencing a ransomware attack. A higher RSI indicates greater susceptibility.
Ransomware Susceptibility Index® (RSI™) Explained
Average RSI: Wholesale vs Retail
The average RSI score for Retail victims was 0.55, compared to 0.51 for Wholesale victims.
This confirms that the Retail victims had a measurably weaker security posture at the time of the attack. When combined with the high Stealer Log findings, it shows that the major Retailers being targeted were not only valuable but also inherently vulnerable.
Putting it all together:
While Retail had fewer victims, their average security posture was notably weaker. Retail victims showed a higher average RSI (0.55 vs. 0.51) and were almost twice as likely to have data compromised via stealer logs (58.5% vs. 30%).
Top Threat Actors: Ransomware Groups Targeting Wholesale & Retail
There is significant overlap in the groups actively targeting these two sectors, confirming that threat actors see the Retail and Wholesale industries not as two separate markets, but as one large, interconnected system of targets.
For Attackers
This means they don't have to specialize in "Retail risk" or "wholesale risk." They develop universal attack tools and malware (like Stealer Logs or MFT exploits) that work across both. Their goal is simply to find the easiest entry point into the system, regardless of which sector that entry point belongs to.
For Defenders
It means defense strategies must be unified. A security failure in a wholesaler (e.g., poor credential security) creates an easy entry point that can be immediately leveraged by the same threat group to pivot to a major Retailer (who uses that wholesaler).
Top Threat Actors: Wholesale vs Retail
There is a significant overlap in threat actors (noted in green text above), with major groups like Cl0p, Qilin, Akira, RansomHub, Lynx, and Play highly active in both sectors.
This suggests they treat the Retail/Wholesale landscape as one interconnected ecosystem. But to truly understand the threat, we must map the actor to the vulnerability. For example:
Cl0p + Managed File Transfer (MFT)
- The Cl0p ransomware group specializes in exploiting Managed File Transfer (MFT) vulnerabilities to execute supply chain attacks.
- Given the industry's heavy reliance on third-party data exchange, any vendor with unpatched transfer protocols is essentially rolling out the red carpet for Cl0p to infiltrate the entire network.
Scattered Lapsus$ Hunters + Credential Theft and Data Extortion
- The presence of “Scattered Lapsus$ Hunters” is particularly significant. This group does not operate like traditional ransomware actors, as their focus is credential theft and data extortion, not encryption.
- It is also not accidental that they target the Retail sector. Their playbook (social engineering, phishing, and using stolen credentials for initial access) works exceptionally well in Retail environments, where large workforces and high credential exposure create an ideal attack surface.
- As detailed later in this report, 70.36% of Retail companies with over $1B in revenue have stealer-log findings. These exposed credentials provide exactly the entry point groups like Scattered Lapsus$ Hunters depend on to impersonate employees, bypass MFA, and move inside the network.
- Their presence highlights a key reality: Retail is not just a target but a preferred sector for identity-based extortion groups that thrive on credential weaknesses and rapid data theft.
Chapter 1 Takeaways
This first-party victim data establishes the baseline of vulnerability and identifies the attacker's preferred toolset. If the Retail and Wholesale companies cannot defend against these vectors internally, they cannot trust their vendors to do so either, and the attackers are using the same tactics everywhere.
These past attacks provide a direct lesson for present-day defense that must be applied to third-party cyber risk management (TPCRM):
1. Stop the Shared Credential Failure:
The primary fight is no longer against the perimeter, but against the theft of corporate credentials. The high rate of Stealer Log exposure must be treated as a baseline identity weakness that is equally likely to be present in any third-party vendor.
2. Understand Target Value:
Retail leaders must recognize they are being targeted for high-value data extortion, which raises the overall risk tolerance threshold for any vendor that touches their sensitive data or systems.
3. Prioritize Supply Chain Vectors
The presence of major supply chain attackers like Clop means that vulnerability management must extend immediately to all third-party vendors. The attack vectors identified here are the same ones used to compromise your suppliers.