—
### Marks & Spencer Faces Severe Ransomware Attack: A Deep Dive
In a troubling development, British multinational retailer Marks & Spencer (M&S) has confirmed that the “cyber incident” it has been grappling with for over a week is, in fact, a ransomware attack. Various sources have reported that this malicious act was orchestrated by an unnamed criminal group, while others have pinpointed the Scattered Spider hacking group as the perpetrators behind this significant breach.
The Telegraph revealed that ransomware was deployed during the attack, with detailed insights from Bleeping Computer indicating that M&S’s virtual machines operating on VMware ESXi hosts were encrypted using a tool called DragonForce. This troubling situation marks a serious blow to the retailer’s operations and customer trust.
#### Official Confirmation and Immediate Impact
M&S publicly acknowledged the ongoing cyber incident on April 22, 2025, by formally notifying both the London Stock Exchange and its customer base. In an effort to manage the fallout, the company enlisted external cybersecurity experts to assist in investigating and addressing the incident. They have reported the attack to relevant data protection authorities and the UK’s National Cyber Security Centre, alongside implementing “minor, temporary changes” in their store operations to safeguard customers.
The repercussions of this cyber attack have been felt widely among consumers. Online orders have been suspended, rendering contactless payments and gift card redemptions temporarily impossible. Customers faced delays in their orders, issues with refunds, and interruptions in the customer reward scheme. The company has been actively responding through social media to address customer grievances, although communication regarding the nature and extent of the attack has been notably limited.
#### Analysis of the Ransomware Deployment
Cybersecurity experts speculate that the incident may be the work of a sophisticated ransomware or cyber-extortion group. Researcher Kevin Beaumont highlighted that M&S began taking its internet-exposed VPN endpoints and additional external services offline starting April 20, a move that coincided with Easter Sunday in much of Europe. Beaumont noted suspicious inbound network activity from IP addresses linked to known crimeware groups, complicating the attribution to any specific entity.
Further investigations revealed that the hackers initially breached M&S’s systems in February, gaining access to the important ntds.dit database file from the company’s Active Directory domain controller. This critical file likely allowed them to extract encrypted passwords for employee accounts, which they then decrypted to traverse deeper into M&S’s Windows domain. The DragonForce encryptor was deployed subsequently on April 24, 2025.
Reports from Bleeping Computer corroborated that the Scattered Spider group, also referred to as Octo Tempest by Microsoft, is linked to the attack. This loosely organized collective specializes in various cybercrimes, including phishing, social engineering, and SIM swapping, and often joins forces with different ransomware groups for maximum impact.
DragonForce itself operates as a ransomware-as-a-service (RaaS) provider, having entered the cybercrime scene in August 2023. The group markets its tools and services to affiliates, taking a cut of any ransom payments made.
#### A Cautionary Message for Customers
As the company works through these challenges, M&S customers remain in limbo, uncertain when they will regain full access to online shopping. To date, M&S has not confirmed whether the attackers accessed customers’ personal and financial information, only opting to reassure customers that “there is no need for [them] to take any action.”
However, the cybersecurity landscape suggests a high likelihood that scammers will attempt to exploit this high-profile breach. Customers are urged to remain vigilant for phishing attempts, including fraudulent notifications claiming compromised accounts or payment information. Such tactics might involve requests for account verification on lookalike sites or notifications about refund issues.
Overall, this incident serves as a stark reminder of the ever-evolving challenges in cybersecurity and the profound implications such attacks can have on businesses and consumers alike. As Marks & Spencer navigates this crisis, the importance of robust cybersecurity measures and transparent communication cannot be understated.
—