Marks & Spencer cyber incident linked to ransomware group
The “cyber incident” that British multinational retailer Marks & Spencer has been struggling with for over a week is a ransomware attack, multiple sources have asserted.
The Telegraph’s sources say ransomware was deployed by a unnamed criminal gang. Bleeping Computer’s says the attackers were members of the Scattered Spider hacking group, and that M&S’s virtual machines on VMware ESXi hosts have been encrypted with the DragonForce encryptor.
The effects of the attack
The company publicly confirmed the ongoing attack on April 22, 2025, by formally notifying the London Stock Exchange and its customers.
M&S said that they have engaged external cyber security experts to assist with investigating and managing the incident, reported the incident to data protection supervisory authorities and the National Cyber Security Centre, and have made “minor, temporary changes” to their store operations to protect customers.
The effects of the attack have been felt by customers: online orders have been (and are still) suspended, contactless payments and the redeption of gift cards were temporarily impossible, some orders went undelivered, refunds were delayed, and the customer reward scheme was paused.
Since then, they’ve been responding via social media to disgruntled customers and offering solutions to problems that arose but have kept mum on the nature and the extent of the attack.
Ransomware deployment
Many have speculated that the attack was probably the work of a ransomware / cyber extortion outfit.
Security researcher Kevin Beaumont noticed the company has been pulling its internet-exposed VPN endpoints and other external services offline since April 20 (i.e., Easter Sunday in most of Europe).
“They had inbound network activity from IPs associated with crimeware groups, but difficult to know which one due to shared infrastructure,” he commented a few days ago.
According to Bleeping Computer’s sources, the attackers first breached M&S in February and got ahold of the ntds.dit database file from the company’s Active Directory domain controller(s).
Then they likely extracted the encrypted passwords for employee accounts, cracked the encryption, and used the account credentials to make their way through the company’s Windows domain. The DragonForce encryptor was deployed on April 24, 2025.
“The investigation so far indicates that the hacking collective known as Scattered Spider, or as Microsoft calls them, Octo Tempest, is behind the attack,” the publication noted.
Scattered Spider is a loosely organized cybercriminal group that specializes in phishing, social engineering, MFA prompt bombing and SIM swapping attacks and often allies with various ransomware groups.
The DragonForce ransomware-as-a-service (RaaS) outfit – or “cartel”, as they call themselves – has been around since August 2023, and provides tools and services to its affiliates for a percentage of the paid ransom.
A warning for customers
M&S customers are left waiting for the problems to clear up to continue doing their online shopping, but the company has yet to say when that might happen.
M&S did not say whether customers’ personal and payment information is believed to have been compromised, only that there is “no need for [customers] to take any action.”
It’s likely, though, that scammers will want to capitalize on this high-profile breach and the many unknowns and will be sending out phishing emails and messages impersonating the company.
Customers should be on the lookout for fake notifications saying their account or payment information has been compromised and that they have to verify the account or info by entering it into a lookalike phishing site, fake alerts saying there are problems with refunds, and so on.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!