SYS::ONLINE
Wasteland.
Briefs779
Issues14
SinceFeb 2026
LIVE
█ Ransomware MARKS-SPENCER-SCAT 2026-05-26

Marks & Spencer: Scattered Spider/DragonForce Ransomware

"Marks & Spencer has confirmed that its April 2025 ransomware incident cost the retailer £131.3 million in direct response costs and contributed to a 23.8% drop in group adjusted profit before tax, which fell to £671.4…"

Marks & Spencer has confirmed that its April 2025 ransomware incident cost the retailer £131.3 million in direct response costs and contributed to a 23.8% drop in group adjusted profit before tax, which fell to £671.4 million for the year ended 28 March 2026. The attack, attributed to the Scattered Spider collective working with DragonForce ransomware operators, began with social engineering of a third-party IT service desk and culminated in the encryption of VMware ESXi infrastructure running M&S's e-commerce, payment and logistics systems.

What Happened

Attackers gained initial access on 17 April 2025 by impersonating an M&S employee and convincing a third-party IT service desk to reset the worker's password. Reporting by the Financial Times subsequently linked the compromised help desk function to Tata Consultancy Services, M&S's longstanding outsourced IT support provider.

Once inside the network, the intruders exfiltrated the Active Directory database, cracked employee password hashes offline, and on 24 April 2025 detonated the DragonForce encryptor against M&S's VMware ESXi hosts. The blast radius included virtual machines hosting e-commerce, payment processing and logistics applications.

The retailer suspended online clothing and home orders on 25 April 2025 and did not resume them for 46 days. Contactless payments, click-and-collect and gift card services went down across stores, with staff in some locations reverting to paper-based stock tracking. Online sales fell 18.4% over the full year, and adjusted operating profit in the Fashion, Home and Beauty division collapsed by 55.4%.

What Was Taken

M&S confirmed in May 2025 that attackers exfiltrated customer data including:

The retailer stated that payment card details and account passwords were not compromised. Internally, the theft of the Active Directory database and the subsequent offline cracking of password hashes gave the attackers broad credential reuse opportunities across the M&S estate prior to encryption.

Why It Matters

The financial impact is one of the largest publicly disclosed retail ransomware tolls in UK history. The £131.3 million in direct response costs covered £109.3 million for immediate systems response and recovery, with the balance going to third-party legal and professional services. Insurance proceeds of £100.0 million offset most of the direct cost, but the wider trading disruption flowed straight through to the P&L: statutory profit before tax fell 28.8% to £364.6 million.

For defenders, the incident is a clean case study in how a single help desk social engineering call can cascade into multi-month revenue loss, regulatory exposure and reputational damage. It also reinforces that Scattered Spider's playbook remains highly effective against large enterprises with outsourced IT support, and that DragonForce affiliates continue to prioritise ESXi as a force-multiplying encryption target.

The Attack Technique

The chain reflects Scattered Spider's well-documented tradecraft:

  1. Vishing the service desk: Attackers impersonated an M&S employee and pressured an outsourced help desk operator into a password reset, bypassing MFA enrolment controls.
  2. Active Directory theft: With a foothold, the intruders extracted the NTDS.dit database, enabling offline cracking of password hashes at scale.
  3. Lateral movement via cracked credentials: Recovered plaintext passwords were reused to pivot across the network and reach the virtualisation layer.
  4. ESXi encryption: On 24 April 2025, the DragonForce encryptor was deployed against VMware ESXi hosts, simultaneously locking dozens of business-critical VMs.

The National Crime Agency arrested four individuals aged between 17 and 20 in July 2025 in connection with the attacks on M&S, Co-op and Harrods.

What Organizations Should Do

  1. Harden help desk identity verification. Require out-of-band verification (manager callback, video confirmation, or hardware token challenge) before any password or MFA reset, and audit third-party providers against the same standard as internal staff.
  2. Protect Active Directory aggressively. Monitor for NTDS.dit access, DCSync activity, and unusual replication. Enforce long, randomised passwords for privileged and service accounts to defeat offline cracking.
  3. Segment and harden ESXi. Isolate hypervisor management networks, enforce MFA on vCenter, disable SSH where not required, and apply VMware's ransomware-resistance guidance. Treat ESXi hosts as Tier 0 assets.
  4. Rehearse a 46-day outage. Build and test runbooks for prolonged loss of e-commerce, payments and logistics systems, including manual store operations and customer communications.
  5. Map third-party access risk. Inventory every outsourced provider with the ability to reset credentials, push software, or touch identity systems, and contractually require evidence of social engineering controls.
  6. Hunt for Scattered Spider TTPs. Look for help desk reset anomalies, new MFA device enrolments, suspicious AD enumeration, and ESXi-targeted reconnaissance from administrative jump hosts.

Sources: M&S cyber attack cost £131 million, profits down 24%