Last week, British retail giant Marks & Spencer (M&S) became the latest high-profile victim of a ransomware attack, with responsibility attributed to the cybercriminal group Scattered Spider. Although the breach was only publicly revealed in early May, security analysts believe the attackers initially gained access to internal systems as far back as February 2025 (BleepingComputer).
Technical Details: Credential Dumping and Ransomware Deployment
According to reports, the attackers exfiltrated the NTDS.dit file from M&S’s network, a critical component of Microsoft Active Directory. This file contains directory data such as user accounts and encrypted password hashes, which are used for authentication within the organization. If obtained along with the system’s SYSTEM registry hive (HKLM/SYSTEM), attackers can decrypt the password hashes offline and gain elevated access to the network, a technique documented under MITRE ATT&CK technique T1003.003.
After establishing persistence and moving laterally through the infrastructure, the attackers deployed DragonForce ransomware. This malware targeted and encrypted VMware ESXi servers, virtualization hosts that support much of M&S’s digital operations. The attack disabled essential business functions and crippled IT systems used for logistics and point-of-sale management (BleepingComputer).
Scattered Spider, also tracked under aliases such as UNC3944 and Muddled Libra, is known for using social engineering tactics, such as impersonating IT staff and conducting SIM-swapping attacks, to bypass multi-factor authentication and gain access to enterprise networks (FT).
Operational and Financial Impact
The ransomware deployment caused widespread outages:
- Online platforms were taken offline, halting e-commerce orders and job applications.
- In-store disruptions included failures in contactless payment systems, returns processing, and gift card transactions.
- At the Castle Donington distribution center, around 200 workers were sent home due to system outages affecting warehouse logistics (BBC).
Estimates suggest that M&S is losing approximately £40 million per week due to the breach. Its share price also fell, wiping out £600 million in market value in a matter of days (FT).
Incident Response and Ongoing Investigation
M&S has engaged top-tier cybersecurity vendors, including Microsoft and CrowdStrike, to support incident response. The UK’s National Cyber Security Centre (NCSC) and law enforcement agencies are involved in the investigation. It remains unclear whether a ransom has been paid, though UK authorities generally advise against such actions to avoid incentivizing further attacks (BleepingComputer).
Lessons for the Retail Sector
This incident highlights the growing cybersecurity risk faced by retail and supply chain organizations, particularly those relying on legacy systems and centralized IT infrastructure. Other UK retailers, including Harrods and the Co-op, have also faced recent cyber threats, suggesting a sector-wide targeting trend (BBC).
As M&S works to recover its systems and reputation, the attack underscores the critical importance of defending high-value assets like Active Directory, monitoring for credential theft, and reducing dwell time for undetected intrusions.