M\&S Hit by Sophisticated Cyberattack: DragonForce Ransomware Behind Breach

Listen to this Post

Featured Image

A Wake-Up Call for the UK Retail Sector

In a chilling revelation before the UK

The breach first occurred on April 17 and exploited social engineering tactics, commonly referred to as impersonation, to trick a third-party provider into resetting an employee’s password. Although the attackers disguised themselves as legitimate staff, the involvement of IT services firm Tata Consultancy Services (TCS)—a major outsourcing partner—suggests critical lapses in identity verification protocols.

While initial speculation confused the DragonForce ransomware group with the Malaysian hacktivist collective “DragonForce Malaysia,” investigations now link the M\&S breach to Scattered Spider, a well-known cybercriminal syndicate. These attackers deployed DragonForce ransomware, encrypted VMware ESXi servers, and allegedly exfiltrated around 150GB of sensitive data. The operation used a double extortion technique, threatening to release stolen data unless a ransom was paid.

Though M\&S has not confirmed whether a ransom was paid, their refusal to deal directly with the hackers and reliance on negotiation professionals suggests a ransom payment may have been made quietly. To date, the DragonForce leak site has not listed M\&S, which typically implies that a ransom was settled or that negotiations are ongoing. This breach underscores the evolving nature of cyber threats in 2025, where social engineering and third-party exploitation continue to be potent tools for attackers.

What Undercode Say:

Cybersecurity Cracks Widen as Social Engineering and Third-Party Risks Surge

Social Engineering Takes Center Stage

This attack on M\&S is a textbook case of how social engineering remains one of the most effective tactics for breaching enterprise security. Posing as a legitimate employee, the attackers tricked TCS into resetting a password, offering a low-effort yet high-impact gateway into M\&S systems. As companies increasingly outsource help desk support, trust in third parties can become a cybersecurity liability if identity verification protocols are not stringent enough.

Ransomware Evolution: Double-Extortion as the New Norm

The use of DragonForce ransomware is notable for its double-extortion strategy—encrypting data and then using the threat of a public leak as leverage. This model significantly raises the stakes for victims, as the cost isn’t just downtime, but potential brand damage, legal consequences, and customer distrust. For a major retailer like M\&S, a 150GB leak could include sensitive internal data, employee records, or even customer information.

Blurred Lines Between Hacktivists and Cybercriminals

The confusion between DragonForce ransomware operators and the pro-Palestinian group “DragonForce Malaysia” highlights a broader challenge: the increasing convergence and confusion between politically motivated hacktivism and profit-driven cybercrime. Attribution in cybersecurity is notoriously complex, and inaccurate labeling can mislead investigations or public perception.

Third-Party Risk Management Is Weakest Link

TCS’s role in the breach throws light on a growing problem in cybersecurity—the vulnerabilities introduced by third-party vendors. As businesses rely more heavily on outsourcing to manage operations, they must extend their security policies and monitoring tools to cover these external players. Zero Trust models, vendor risk assessments, and strict access protocols should no longer be optional.

M&S’s Discreet Handling Hints at Ransom Payment

M\&S refused to confirm if a ransom was paid but also did not deny it, citing public interest concerns. Given the absence of their data on leak sites, the silence strongly suggests either a ransom was paid or negotiations are still ongoing. By employing professionals to interact with attackers, M\&S avoided direct engagement, but it also means corporate policy has shifted towards pragmatism over public transparency.

The Price of Silence: Ethical and Legal Grey Zones

By choosing not to publicly confirm a ransom payment, M\&S sits in a legal and ethical gray area. On one hand, this can prevent encouraging future attacks. On the other, lack of transparency prevents other companies from learning and adapting from this incident, weakening collective defense efforts across industries.

ESXi Servers: Prime Ransomware Targets

The attackers’ focus on VMware ESXi servers is part of a growing trend in ransomware operations. These servers are centralized environments that host multiple virtual machines, making them high-value targets for maximum disruption. Organizations must ensure they are patched, segregated from less secure environments, and backed up independently.

Negotiation Firms: Silent Heroes or Shadowy Fixers?

The involvement of ransomware negotiation experts raises important questions. While they bring expertise in de-escalating threats and facilitating payments, their role also reflects how ransomware economics have birthed a parallel service industry. It’s a controversial but increasingly normalized part of incident response.

The UK Retail Sector at a Crossroads

This attack may serve as a turning point for the UK’s retail industry. With Parliament now involved, regulations surrounding third-party IT contracts, incident disclosure, and ransomware response policies could be on the horizon. Cybersecurity is no longer just an IT concern—it’s a boardroom and policy-level issue.

🔍 Fact Checker Results:

✅ M\&S confirmed the breach occurred via impersonation and social engineering
✅ TCS was identified as the third-party possibly manipulated in the attack
❌ DragonForce Malaysia is not the group behind the ransomware; it was Scattered Spider using DragonForce ransomware

📊 Prediction:

As ransomware gangs become more professionalized and social engineering grows more refined, retailers will face an increased risk of hybrid attacks combining third-party infiltration and extortion. The next wave of breaches is likely to target help desk vendors and cloud service providers, forcing companies to invest in Zero Trust architectures, multi-factor authentication, and supply chain audits. Expect regulators to introduce new compliance requirements for vendor management by 2026.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin