Massive Cyberattack Hits Marks & Spencer: Inside the Scattered Spider Ransomware Assault

Listen to this Post

Featured Image

Marks & Spencer, one of

This incident serves as a grim reminder that even the most established brands are not immune to the evolving tactics of cybercriminals. As the attack continues to cause operational headaches — from payment system failures to warehousing standstills — the full extent of the damage is still being assessed. With assistance from cybersecurity heavyweights CrowdStrike, Microsoft, and Fenix24, M&S is now locked in a race against time to mitigate the impacts, restore its systems, and safeguard its customer and employee data.

Marks & Spencer Cyberattack Overview

The recent disruption at Marks & Spencer stems from a ransomware attack initiated by the cybercriminal group “Scattered Spider.” The British retail giant confirmed facing a cyberattack that crippled its contactless payment systems and online ordering services. As of now, the disruption persists, impacting warehouse operations and forcing approximately 200 workers to stay home.

Investigations reveal that the attack dates back to February when hackers stole the NTDS.dit file — the critical database housing password hashes for Windows accounts within M&S’s network. By cracking these hashes, the attackers gained deeper access to internal systems, enabling them to spread laterally across the company’s network.

On April 24th, the attackers deployed a DragonForce ransomware decryptor targeting VMware ESXi hosts, effectively encrypting virtual machines critical to M&S’s operations. Experts from CrowdStrike, Microsoft, and Fenix24 were called in to assist with incident response.

Although Marks & Spencer has withheld specific details about the incident, cybersecurity insiders attribute the attack to Scattered Spider — a group also known as Octo Tempest, among several other aliases. This group is infamous for its advanced social engineering tactics, phishing attacks, and even SIM swapping to breach corporate networks.

Scattered Spider has a track record of high-profile breaches, notably the 2023 attack on MGM Resorts where they successfully deployed BlackCat ransomware. Their evolving partnership with ransomware-as-a-service groups like RansomHub, Qilin, and now DragonForce, demonstrates their growing influence within the cybercrime ecosystem.

Despite intensified efforts by law enforcement agencies, which have led to multiple arrests in the United States, United Kingdom, and Spain, Scattered Spider’s decentralized and fluid structure makes it incredibly difficult to dismantle.

What Undercode Say:

This latest incident involving Marks & Spencer underscores the persistent and escalating threat posed by sophisticated cybercriminal networks. The attack is a textbook example of how a breach, starting with the theft of sensitive credential databases like NTDS.dit, can quickly escalate into a full-scale ransomware disaster.

Scattered Spider’s tactics reflect a shift from traditional brute-force cyberattacks to more psychological, social engineering methods, exploiting human error over technical vulnerabilities. By using phishing, MFA fatigue attacks, and SIM swapping, they can bypass even the most fortified security perimeters.

What makes Scattered Spider particularly dangerous is their adaptability and youth. With many members as young as 16, their comfort with modern communication platforms such as Discord and Telegram allows for rapid coordination and real-time attack adjustments.

Marks & Spencer’s call for external cybersecurity experts like CrowdStrike and Microsoft demonstrates the scale and complexity of the breach. Such collaborations are becoming the norm as companies realize that internal IT departments often lack the capability to manage sophisticated, multilayered ransomware incidents.

Interestingly, the DragonForce ransomware variant used here shows the evolution of ransomware groups into business-like entities offering “white-label” ransomware solutions. This commoditization of cyberattacks further democratizes access to devastating cyber tools, lowering the barrier to entry for would-be attackers.

The attack also exposes vulnerabilities within hybrid IT infrastructures, particularly the reliance on VMware ESXi servers, a favorite target for modern ransomware campaigns. Companies must prioritize securing virtualization platforms, not just traditional endpoints.

From an economic standpoint, the cost to M&S extends beyond immediate recovery efforts. Long-term reputational damage, customer distrust, and potential regulatory fines loom large. Furthermore, the attack highlights the importance of proactive cybersecurity measures — regular penetration testing, employee training on phishing attacks, and robust backup strategies are no longer optional.

For law enforcement and cybersecurity firms, the battle is twofold: dismantling fluid criminal networks like Scattered Spider while also closing off the digital marketplaces that enable them to thrive.

This event should serve as a wake-up call across industries — no organization, regardless of size or prestige, is safe. Cyber resilience must be woven into the fabric of corporate strategy, not treated as an afterthought.

Fact Checker Results:

  • Marks & Spencer suffered an ongoing ransomware attack beginning in February 2025.
  • The attackers, known as Scattered Spider, used advanced social engineering tactics and deployed DragonForce ransomware.
  • Expert cybersecurity firms have been enlisted to investigate and mitigate the breach, highlighting the severe impact on M&S’s operations.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram