Since the easter weekend the threat intel wires were filled with reports from a massive cyber attack on major British retailers Marks & Spencer, Co-op, and Harrods that has caused unprecedented disruption to their operations. M&S suffered the most severe impact, with online sales suspended for over two weeks, resulting in estimated daily losses of £3.8 million and a market value drop exceeding £750 million. The DragonForce ransomware group, linked to Scattered Spider hackers, claimed responsibility for all three attacks, which exploited social engineering tactics rather than technical vulnerabilities, highlighting the human element in cybersecurity failures.

2. Scope and Fall-out

The cyber incident began during Easter weekend 2025 when M&S first detected unusual activity on their tech systems. However, investigation revealed that attackers had initially breached M&S's network as early as February 2025, extracting the ntds.dit database file from the company's Active Directory domain controllers. This allowed them to obtain encrypted passwords for employee accounts, which they subsequently cracked to gain broader access to the company's Windows domain.[1]

The DragonForce ransomware was deployed on April 24, 2025, targeting M&S's VMware ESXi hosts and encrypting virtual machines that supported e-commerce and payment processing systems [5]. Shortly after, similar attacks hit Co-op and Harrods, suggesting a coordinated campaign against British retailers.

The impact on M&S has been severe and prolonged. The company was forced to:

• Suspend all online orders for more than two weeks

• Temporarily disable contactless payments and gift card redemptions

• Pause their Sparks loyalty program

• Halt recruitment processes and pull all online job postings

• Limit deliveries of packaged food items to Ocado

  
  

Analysts at Deutsche Bank estimate the attack has already cost M&S £30 million in profits and continues to impact the retailer by approximately £15 million per week [3].

Co-op confirmed that hackers accessed and extracted customer data, including names and contact details of Co-op members, though passwords and financial details were reportedly not compromised. The retailer also experienced disruptions to its contactless payment systems and product deliveries [7].

Harrods acted swiftly to contain their breach by restricting internet access at its locations, which limited the impact on its operations. Its flagship store and online sales continued with minimal disruption [4].

M&S customers experienced numerous inconveniences, including undelivered orders, delayed refunds, and inability to shop online. In stores, customers encountered gaps on shelves, especially for packaged goods and popular clothing lines, as automated stock systems were offline [3].

The CEO, Stuart Machin, urged customers to visit physical stores during the bank holiday weekend as the company worked "day and night" to resolve the issues [2].

3. ScatteredSpyder and DragonForce

The cyber attacks have been attributed to DragonForce, a ransomware-as-a-service (RaaS) operation that emerged in August 2023. Originally starting as a hacktivist group from Malaysia, DragonForce evolved into what security researchers describe as a "ransomware cartel" [8].

The attacks were reportedly carried out by members of Scattered Spider (also known as Octo Tempest by Microsoft), a loosely organized network of young, English-speaking hackers who utilize DragonForce's infrastructure while paying the group a 20% cut of any ransoms collected [5].

Scattered Spider has been linked to numerous high-profile attacks, including the September 2023 breach of MGM Grand Casinos & Resorts. Law enforcement has made progress against the group, with five arrests of alleged members in the US and UK over the past year [8].

The primary attack vector used against M&S and Co-op was social engineering rather than technical exploitation. According to reports, the attackers:

1. Social Engineering: Posed as legitimate employees calling IT help desks, claiming they had lost access to their accounts. Using details likely scraped from earlier data leaks, LinkedIn profiles, or phishing campaigns, they convinced support staff to reset credentials [10].

2. Credential Theft: Once inside the network, they extracted the ntds.dit database file from Active Directory, allowing them to crack encrypted passwords [1].

3. Lateral Movement: Utilized tools like mimikatz, Advanced IP Scanner, and PingCastle to maintain persistence and elevate privileges within the network [5].

4. Privilege Escalation: The malware attempted to escalate access to SYSTEM-level by exploiting Access Token Manipulation, using DuplicateTokenEx() and CreateProcessWithTokenW() functions [5].

5. Ransomware Deployment: Finally, they deployed the DragonForce encryptor against VMware ESXi hosts, targeting virtual machines that supported critical business functions [5].

The DragonForce ransomware uses strong encryption algorithms including AES-256, RSA, and newer variants employing the ChaCha8 algorithm for faster encryption. It supports multiple command-line options including "-paths" for file-system search mode, "-vmsvc" for ESXi discovery, and timing parameters for scheduled execution [5].

In early 2025, DragonForce introduced a "white-label" service allowing affiliates to disguise attacks under different ransomware brands, further complicating attribution and response efforts [5].

4. Take-outs

Human Element Remains the Weakest Link

Despite sophisticated security systems, attackers gained access through social engineering by impersonating employees and convincing IT help desk staff to reset credentials. This highlights how human judgment can bypass technical controls, emphasizing the need for robust verification protocols and security awareness training [10].

Dwell Time Creates Significant Risk

Attackers breached M&S in February but only deployed ransomware in late April, giving them months to explore the network, extract credentials, and plan their attack. This extended dwell time allowed for thorough reconnaissance and maximized damage when the ransomware was finally deployed [1].

Business Continuity Plans Are Essential

The prolonged disruption to M&S's online operations and in-store systems demonstrates the critical importance of comprehensive business continuity planning. Organizations must prepare for scenarios where core systems are unavailable for extended periods and have manual fallback procedures ready [3].

Financial Impact Extends Beyond Ransom

The financial consequences far exceeded any potential ransom demand, with M&S losing an estimated £3.8 million daily in online sales alone, plus a market value drop exceeding £750 million. This demonstrates how the true cost of ransomware includes business disruption, reputational damage, and market confidence [3].

Supply Chain Vulnerabilities Amplify Impact

The attack's effects cascaded through M&S's supply chain, affecting Ocado deliveries and creating food waste when automated systems for price reductions and charity donations were disrupted. This illustrates how modern interconnected business ecosystems can multiply the impact of a single breach [3].

5. What we can learn

Enhance Detection Capabilities for Advanced Persistent Threats

Organizations must improve their ability to detect sophisticated attackers who may lurk in networks for months before striking. Implementing advanced threat hunting, behavioral analytics, and anomaly detection can help identify suspicious activities before they escalate to full-scale attacks [1] [4].

Strengthen Identity Verification Protocols

The social engineering tactics used in these attacks highlight the critical need for robust identity verification processes, especially for IT help desk operations. Multi-factor authentication, callback procedures, and biometric verification should be standard for credential resets and access to sensitive systems [6] [10].

Develop Comprehensive Incident Response Plans

The varied responses from the three retailers demonstrate the importance of well-rehearsed incident response plans. Harrods' swift action to restrict internet access limited the impact, while M&S's prolonged disruption highlights the consequences of inadequate preparation. Organizations should regularly test and update their incident response capabilities [4].

Prioritize Transparent Communication

M&S's communication with customers and stakeholders during the incident received mixed reviews. Clear, timely, and honest communication is essential during cyber incidents to maintain trust and manage expectations. Organizations should develop crisis communication plans specifically for cyber events [2].

Invest in Resilient Infrastructure

The attack demonstrates the need for resilient IT infrastructure that can withstand and recover from cyber attacks. This includes segmented networks, offline backups, and redundant systems that can maintain critical business functions even when primary systems are compromised [3].

Adopt Zero Trust Architecture

The lateral movement exhibited by attackers once inside the network highlights the limitations of perimeter-based security. Organizations should adopt Zero Trust principles, where no user or system is inherently trusted, and verification is required for all access requests, regardless of their source or location [5].

Move from Security Silos to Comprehensive Cyber Resilience

The M&S incident demonstrates that cybersecurity can no longer be treated as a standalone IT function. Organizations must develop comprehensive cyber resilience strategies that integrate security across all business operations, combining technical controls with human awareness, business continuity planning, and crisis management capabilities. This holistic approach is essential for surviving and recovering from the increasingly sophisticated and disruptive cyber attacks that target modern businesses [6] [8].