A recent wave of ransomware attacks has disrupted major retailers across the UK. According to a new report from CTM360, the attackers didn’t need to break down the door, they were invited in through misplaced trust and weak identity safeguards.

This wasn’t about advanced malware or zero-day vulnerabilities. The attackers used common tactics: impersonating IT staff, tricking employees into handing over credentials, and intercepting multi-factor authentication codes. From there, they moved across networks.

What went wrong?

The report outlines a familiar yet dangerous pattern: attackers gained access through social engineering, stayed hidden while gathering intel, and finally deployed ransomware to cripple operations.

In one case, the attackers added their own identity provider to a retailer’s single sign-on system, giving them long-term access even after passwords were changed. They monitored internal communication channels, learned how the company handled security alerts, and used that knowledge to delay detection.

When the time came, they hit hard. Ransomware locked systems. Online sales stopped. Contactless payments failed. And behind the scenes, sensitive data had already been stolen for added leverage.

The bigger picture

Ransomware groups don’t need zero-days. They rely on people, misconfigurations, and common tools. The entry point might not be malware, it might be a phone call or a spoofed login screen.

For CISOs, the real lesson here isn’t just about controls. It’s about assumptions. These attacks succeeded not because defences failed, but because basic trust was abused: trust in employees to recognize phishing attempts, trust in identity systems to block unauthorised access, and trust in remote access tools that attackers easily repurposed.

This campaign echoes a broader trend. Threat actors are targeting identity, not infrastructure. They exploit how users authenticate, how systems connect, and how access is granted across cloud and on-prem environments.

What CISOs should focus on

The report recommends:

Seeing the organization from an attacker’s perspective

Reducing digital exposure across identity and supply chain systems

Reviewing remote access practices

Applying focused hardening policies that are easy to enforce

Auditing how internal trust boundaries are managed

