- Marks & Spencer experienced a cyber incident in early April
- Reports suggest Scattered Spider is behind the attack
- The retailer is still addressing the technological disruption
A significant cyber incident involving British retailer Marks & Spencer has persisted for over a week, and it appears to be associated with Scattered Spider, a notorious threat group. This information was first reported by BleepingComputer, which referenced “multiple sources” indicating that this might be a ransomware attack. However, the company itself has refrained from confirming this detail.
At the end of April, reports emerged of a “cyber incident” that impacted M&S stores for several days, leading to “minor alterations” in store operations. The company acknowledged that Click and Collect services were affected, and some locations struggled to process contactless payments.
A few days later, M&S announced that it needed to take certain systems and processes offline, resulting in a suspension of Click and Collect services across all stores and halting online orders as well.
Old Players or New Imitators?
The retailer stated that it decided to take some processes offline proactively to safeguard its employees, partners, suppliers, and the business itself. Although no formal declaration confirmed the attack as ransomware, there are strong indications supporting this possibility.
Now, BleepingComputer contends that it was indeed a ransomware attack carried out by Scattered Spider. This group is not state-sponsored but operates primarily for financial gain. Their usual targets include western companies, especially in technology, telecommunications, and hospitality. They penetrate networks through social engineering techniques and SIM-swapping.
In previous years, they utilized the BlackCat/ALPHV ransomware variant, but after the group’s disbandment, they sought other alternatives. Recently, the publication claims they used the DragonForce encryptor on M&S’ VMware ESXi hosts on April 24, compromising virtual machines. DragonForce has recently shifted to a ‘cartel’ business model.
To counteract the damage, several cybersecurity teams, including CrowdStrike, Microsoft, and Fenix24, have been engaged to investigate and provide support.
Source: BleepingComputer
