The recent cyberattack on M&S is not a UK-centric incident, with the DragonForce ransomware group rapidly emerging as one of the most dangerous threats in the cybersecurity domain globally, according to Rick Welsh, CEO of Killara Cyber.
Killara Cyber is the cyber insurance program of Canopy Specialty Insurance. It offers a solution for its SME customers with CORE, its proprietary early warning system that predictively warns against malicious intrusions or potential cyberattacks.
For context, on 22nd April, 2025, M&S announced it was responding to a cyber incident that had impacted its operations.
The threat actor group Scattered Spider—also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra—was behind the attack on M&S, deploying DragonForce ransomware.
Scattered Spider is known for gaining access to victims and valid accounts via phishing campaigns and social engineering tactics.
DragonForce operates a ransomware-as-a-service (RAAS) affiliate program.
Welsh explained, “Threat actors can utilise DragonForce’s infrastructure to launch ransomware attacks, effectively lowering the cost and technical requirements for running ransomware campaigns against victims. DragonForce’s ransomware has capabilities such as credential harvesting, privilege escalation, antivirus program disablement, data encryption and covering its tracks by deleting log entries. Threat actors also have the option to use customised malware.”
The attack was not limited to M&S; the Co-op was also targeted, reportedly shutting down parts of its IT systems in response to hackers attempting to gain access.
Additionally, Harrods, the luxury department store, appears to be another retailer recently targeted by a cyberattack. The firm said it had “restricted internet access at our sites” following an attempt to gain unauthorised access to its systems.
Simon West, Director of Customer Engagement at Resilience, stressed that these attacks are particularly concerning due to the use of advanced tactics such as SIM swapping and MFA bypass.
Welsh emphasised that while these incidents may appear UK-centric, DragonForce ransomware is a global threat.
Welsh stated, “Killara’s CORE platform indicates that as of yesterday, there were 70 new DragonForce ransomware attacks in the last six months alone – and 57% of those were against US companies.”
The UK, Canada, France, and Germany have also been particularly exploited. By industry, the construction, healthcare, and legal sectors are being targeted.
Welsh stressed that these recent cyberattacks reiterate the need to be proactive, noting that cyber insurance can help clients understand and stay updated on new threats and tactics, enabling them to better avoid such attacks.
Welsh said, “Insurance is as much about helping clients avoid outages as it is helping them after a ransomware attack.
“We at Killara believe insurance should be better at being preventative before the event than reactive after the event. Killara’s early detection protects our clients before the attack just as it does after an attack.
“Through Killara Cyber’s relationship with 800+ global partners, CORE ingests hundreds of different types of malware, threat actors, ransomware events, vulnerabilities, exploits by industry, geography, vendors and technology,” he concluded.
