Marks & Spencer, one of the UK’s most iconic retailers, is still reeling from a ransomware attack that has crippled parts of its operations for the last month. While the company’s official communication frames it as a “cyber incident,” this was a complex ransomware attack perpetrated by a sophisticated adversary.
The cyber-attack on M&S marks one of the most high-profile security breaches in the UK retail sector to date, with expectations that the disruption could last until July, taking an estimated £300m hit to profits. For all businesses, this attack should act as a real-time case study in both the anatomy of a modern cyber-attack and the immense challenges of recovery.
What we know so far
The breach was first disclosed publicly on April 19, 2025, though it is now believed that the attackers may have had access to M&S systems as early as February. Evidence reported by Bleeping Computer and corroborated by internal sources suggests that the attackers successfully exfiltrated a critical Windows Active Directory database that contains password hashes for all domain accounts.
With this in hand, the attackers could crack hashed credentials offline and perform lateral movement across M&S’s internal systems undetected for weeks.
This sort of early-stage credential theft aligns with tactics employed by the Scattered Spider threat group, a collective known for leveraging social engineering, SIM swapping, and credential harvesting to infiltrate major enterprises. Once deep within the M&S infrastructure, the attackers deployed the DragonForce ransomware payload, encrypting virtual machines hosted on VMware ESXi servers. This step effectively shut down critical systems across M&S’s logistics, customer-facing apps, and internal operations.
The impact was immediate and visible to both customers and stakeholders. Click-and-collect services were disrupted, online orders were suspended, and in-store point-of-sale systems experienced intermittent failures.
The incident triggered a drop in M&S’s share price, wiping out more than £700 million in market capitalisation. The financial impact is compounded by the suspension of e-commerce operations, which typically account for £3.8 million in daily revenue.
M&S responded by activating its internal incident response mechanisms and enlisting third-party cybersecurity firms, including CrowdStrike and Microsoft, to contain and investigate the breach. Meanwhile, the company reported the incident to the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO), ensuring regulatory transparency.
Who is Scattered Spider?
Scattered Spider is one of the most active and dangerous cyber-criminal groups operating today. Unlike traditional ransomware gangs that are often based in Eastern Europe or Russia, Scattered Spider has been reported to operate largely out of the US and the UK.
The group is unusual in its composition, reportedly consisting of young, highly tech-savvy individuals who are fluent in both security toolsets and social engineering techniques.
Scattered Spider’s tactics are characterised by a combination of low-tech human manipulation and high-impact technical capability. They commonly start their attacks using SMS phishing or phone-based impersonation to gain initial access.
Once inside, they prioritise harvesting authentication data, mapping internal systems, and identifying crown jewels such as identity providers and virtual environments. Their campaigns are known to be persistent, with dwell times stretching into weeks or months, a characteristic evident in the M&S breach timeline.
The realities of ransomware recovery
Recovering from a ransomware attack of this scale is not simply a matter of restoring from backups or decrypting files. The nature of the compromise, particularly the exfiltration of password hashes and deep lateral movement, means that M&S must assume much of its identity infrastructure is compromised. Every domain controller, user account, and service credential must be re-evaluated and, in many cases, recreated.
Recovery cannot begin in earnest until the organisation has confidence that the attacker no longer has persistence or backdoors into the network.
Adding to the difficulty is the use of VMware ESXi as a virtualisation platform. Many ransomware strains now include specific modules designed to target ESXi hosts, encrypting entire virtual machines rather than just files. This not only increases the blast radius but also complicates recovery since backups of individual VMs may also be locked or affected.
Furthermore, the organisation is likely navigating complex regulatory and legal landscapes. Notification requirements under GDPR, coordination with law enforcement, and potential legal action mean that every communication, whether to the public, to partners, or internally, must be carefully crafted. In this high-pressure environment, speed often takes a backseat to certainty and control.
Recommended reading
Key lessons for organisations
The M&S incident offers a powerful learning opportunity for organisations across industries. These are the key lessons that other organisations should consider:
- Adopt a zero trust approach to identity and access management: Many attacks by Scattered Spider begin with impersonation or manipulation of identity infrastructure. Organisations must implement robust multi-factor authentication (MFA), but also ensure that MFA reset workflows are themselves secure.
- Segment your networks: Once an attacker gains access to one part of a flat network, they can quickly move laterally. Segmenting sensitive systems and restricting access through firewalls or zero-trust network access (ZTNA) can significantly slow down or even halt an intruder’s progress.
- Test your incident response plan: Detection isn’t enough. A solid plan should include technical steps, legal and communication procedures, and business continuity strategies – ready to access to a moment’s notice.
- Ensure operational resilience: To keep vital services like payment or customer service running during a crisis, defined fallback methods are needed such as manual workarounds or third-party services.
- Cyber incident response needs training like a muscle: Incident response is a skill. Regular simulations, red-blue team exercises and cyber labs build real-worrld decision-making skills and coordination under pressure.
- Cybersecurity is a board-level priority: The financial and reputational damage inflicted on M&S demonstrates that security is not just an IT concern but a core business risk. Boards should receive regular briefings on threat trends, audit findings, and the readiness of their organisations to respond to a cyber crisis.
Final words
The ransomware attack on Marks & Spencer is a stark reminder of the vulnerabilities that persist even in well-resourced, well-regarded organisations.
From the breach’s technical details to its broader implications for business continuity and reputation, the incident reveals how multifaceted cyber resilience must be. It also exposes the evolution of adversaries like Scattered Spider, who blend social engineering, identity compromise, and extortion into one formidable threat model.
For organisations watching from the sidelines, the lessons are clear: invest in identity protection, practice incident response, harden infrastructure, and communicate clearly and quickly. Above all, treat cybersecurity not as an operational necessity but as a strategic imperative.
