Fraud Management & Cybercrime,
Geo Focus: The United Kingdom,
Geo-Specific
Retailer Continues to Recover From Ransomware Attack
British retailer Marks & Spencer has reportedly been targeted by the financial crime group known as Scattered Spider, which executed a ransomware attack on the organization’s VMware ESXi server.
This incident has significantly disrupted operations for both online and physical stores, forcing the retailer to pause online orders since Friday. Reports from security experts, including those cited by the BBC, attribute the attack to the DragonForce ransomware group, which has evolved into a model that empowers hackers to use their own tools while negotiating ransom.
The DragonForce group surfaced in August 2023 as a ransomware-as-a-service provider, but a notable shift occurred earlier this year when they allowed affiliates to commandeer the attack process under their own brands, as noted by Sophos on April 23.
Sources familiar with the incident, including a report from BleepingComputer, suggest that the attack may have begun as early as February. During this time, hackers are believed to have accessed crucial data, including the ntds.dit file, the primary Active Directory Services database. Utilizing stolen credentials, the attackers exploited vulnerabilities in the retailer’s VMware ESXi hosts, a tactic that highlights their sophisticated approach.
The repercussions of this breach are substantial; estimates report a loss of approximately £500 million in stock valuation. Furthermore, the retailer has encountered challenges in restocking food items, reflecting the far-reaching implications of this cyber event.
The exact ransom demand remains undisclosed, and Marks & Spencer has not provided a response to requests for comment. Scattered Spider, also tracked under various aliases such as UNC3944 and Scatter Swine, is suspected to have targeted around 130 organizations globally, including high-profile entities like MGM Resorts and Clorox, and allegedly stole over 391 bitcoins, equating to more than $27 million.
In terms of law enforcement actions, Tyler Buchanan, a 23-year-old presumed leader of Scattered Spider, was extradited to the United States from Spain last month to face charges related to wire fraud and identity theft. Additionally, another key figure within the group, Noah Urban, has pledged guilty to federal charges linked to multiple cyberattacks on significant U.S. corporations.
Despite these apprehensions, the group is believed to have remained active throughout 2024, with an ongoing focus on targeting cloud infrastructures for credential theft—a trend highlighted in recent industry reports.
Employing tactics commonly associated with the MITRE ATT&CK framework—such as initial access through exploiting vulnerabilities in software and later persistence by leveraging stolen credentialing mechanisms—this incident serves as a crucial reminder for organizations regarding the vulnerabilities they face in today’s digital landscape.
