Cyber security experts have told ITV News they believe Dragonforce was the ransomware used in the cyber attack launched against M&S.
It’s been nearly two weeks since customers first reported experiencing issues with various services at the retailer.
Contactless payments and click & collect services were the first to be suspended and 13 days later difficulties continue with empty shelves across stores and customers still unable to place orders online or using the app.
With one retail expert estimating the store’s losses could be as much as £3.5m a day, cyber security specialists have begun pointing to this disruption as one of the biggest cyber attacks on a private company the UK has ever seen.
Amid ongoing disruption, the retailer has declined to offer further updates on the attack, leaving experts to speculate on it’s causes and when consumers might see normal services resumed.
Subscribe free to our weekly newsletter for exclusive and original coverage from ITV News. Direct to your inbox every Friday morning.
What is Dragonforce?
Dragonforce is what’s known as a ransomware – a malicious software designed to extort victims over access to their computer files.
It’s uncertain who is responsible for its creation but some cyber experts link its inception to a group of hackers known as DragonForce Malaysia.
The name DragonForce can be used to refer both to the group who created it and the software itself.
Typically the group offer the use of this software to “affiliates” who share a percentage of the money they steal via the software with its creators.
Cyber security expert Graham Cluley told ITV News: “Attacks involving the DragonForce ransomware usually start with exploitation of known vulnerabilities – often involving corporate systems that have not been kept up-to-date with the latest security patches, or because they have not been configured properly.
“In addition, the hackers may exploit weak, or non-unique passwords.”
Graham also adds that it’s not unheard of for hackers to offer company employees large bribes to help them gain access from the inside – although there has been no suggestion this occurred in the attack against M&S.
Graham describes how ransomware like DragonForce typically spreads through a company once installed. attempting to “claw its way up through the system to take over accounts which have greater privileges.”
“Data will be exfiltrated with the threat of releasing it on the dark web unless a cryptocurrency ransom is paid,” Graham says.
One of the earliest known uses of this software was in an attack against the Ohio lottery in 2023.
This breach saw more than 600GB of users’ data stolen including names, emails, and other sensitive details.
Other uses of DragonForce have been against Coca-Cola, Yakult, and at one point it was linked to an attack on the entire island of Palau.
How does ransomware work?
The National Cyber Security Center describes ransomware as a type of malicious software that prevents users from accessing their data and systems by encrypting their files.
The group deploying the software will then demand a payment or “ransom” in exchange for granting access and unencrypting the data.
Attackers can also threaten to leak the data if the ransom is not paid.
The first ransomware attack is thought to have occurred in 1989 when attendees of the WHO’s Aids conference were sent floppy disks with a fake questionnaire about HIV. When opened, this software encrypted their files and demanded payments of around $189 be sent to a physical PO box in Panama before their files would be decrypted.
Since then ransomware attacks have evolved to target large businesses instead of individuals and small companies in what’s been termed “big game hunting” by the cyber community.
Who are the group being linked to the attack?
No group or individual has claimed responsibility for the attack but some reports have linked hacking group Scattered Spider to the incident.
The group have previously been involved in high profile cyber attacks, extorting large companies for financial gain.
One of Scattered Spider’s biggest alleged hacks involved the gaming giant MGM Resorts International, which operates over 30 hotel and gaming venues around the world.
In this attack, Scattered Spider is thought to have brought MGM systems to a halt after they gained access to the company’s management system and were able deploy ransomware.
Cyber security expert Professor Alan Woodward from the University of Surrey describes the group as “a typical loose collective of hackers who quite often don’t even know each others real names.
“They work solely alone and not all members of the group will necessarily take part in every attack,” he added.
A 2023 briefing from the FBI describes the group as “experts in social engineering,” saying they deploy multiple tactics to gain access to businesses data.
Previous examples include:
-
Posing as company IT and helpdesk staff over phone and text to obtain credentials from employees.
-
Posing as IT staff to convince employees to share the one-time passwords.
-
Convincing mobile networks to transfer control of a target’s phone number to a SIM card they controlled.
-
Deploying ransomware to extort companies for access to their data.
-
Using phishing emails to install malware on employees systems.
To date there have been several arrests, including British citizens, in relation to Scattered Spider’s cyber attack operations.
What should companies do to protect themselves and their customers?
Cyber experts told ITV News that no company can completely insulate themselves from the threat of ransomware attacks. There are however preventative steps they can take to limit the risk.
The NCSC advises businesses against paying ransoms to hackers as there is no guarantee data will be restored and it could encourage further attacks against the same business or others.
Graham Cluley told ITV News once companies detect a ransomware attack it’s important they disconnect devices from the system to prevent the malware’s spread. This can also involve turning off shared drives and VPN access.
Both of these necessary measures can greatly impact a businesses ability to operate as has been seen over the last two weeks in the M&S attack.
Restoring data from backups can also help although without identifying the way hackers got in there is a strong possibility the vulnerability could be exploited again.
The rise of working from home can also pose an a additional risk to businesses. Alan Woodward told ITV News while there’s plenty of tech to protect companies from the risks of remote working it assumes proactive defence on the part of the business.
He told ITV News the risk increases when employees use personal machines to work across corporate networks and that: “In the early days of covid many were caught out by this rush for home working but these days it should be well secured.”
Want a quick and expert briefing on the biggest news stories? Listen to our latest podcasts to find out What You Need To Know…
