Are you a client?
Sign in to view the full news archive.
Retailer Marks & Spencer (M&S) has been experiencing major disruptions due to a cyber attack that has affected several parts of its operations over the past week. The company suspended online orders as it worked to recover from the incident, which impacted contactless payments, Click & Collect services, and caused delivery delays. Some stores have also been left with empty food shelves, while around 200 warehouse workers were asked to stay home while the company investigates and restores services. M&S has reportedly brought in cybersecurity firms including CrowdStrike, Microsoft, and Fenix24 to help manage the incident.
According to a report by Bleeping Computer, the cyberattack has been linked to a group of threat actors known as "Scattered Spider", also referred to by other names such as Octo Tempest. The group is known for using social engineering techniques like phishing, MFA fatigue attacks, and SIM swapping to gain access to large organisations. In this case, attackers are believed to have gained access to M&S systems in February, stealing a sensitive Windows file (NTDS.dit) containing password hashes. This enabled them to move through the company’s network and eventually deploy ransomware.
Scatted Spider previously breached MGM Resorts in 2023, utilising a social engineering attack impersonating an employee when calling the company's IT help desk. In this attack, the threat actors deployed the BlackCat ransomware to encrypt more than 100 VMware ESXi hypervisors. The specific ransomware used in the attack on M&S is believed to be DragonForce, which encrypted virtual machines on M&S’s VMware servers.DragonForce itself is a newer ransomware operation that began in December 2023 and has recently started offering its tools to other cybercriminal groups as a white-labelled service.
It has been a while since we saw a ransomware attack on this scale, and one focused on locking down systems rather than data theft (and ransom to get it back), which has become more common. In the latest Cyber breaches survey, it was reported that ransomware incidents doubled over the past year (See - 2025 Cyber Security Breaches Survey: Rising ransomware and declining board responsibility), and continues to be one of the main cyber threats to organisations, often facilitated through stolen identity credentials.
Posted by: Simon Baxter at 08:37