Marks & Spencer Cyberattack: How DragonForce Ransomware Cost Britain’s Beloved Retailer £300 Million

In April 2025, British retail giant Marks & Spencer suffered a devastating ransomware attack orchestrated by the Scattered Spider cybercriminal group using DragonForce ransomware. The breach, which occurred via social engineering tactics targeting IT service desk staff, forced M&S to shut down online clothing and home orders for weeks, disrupted in-store payment systems, and resulted in an expected £300 million profit loss. The attack exposed customer data and highlighted vulnerabilities in third-party IT service providers. Recovery efforts extended for months, with full restoration of click-and-collect services taking 15 weeks. This incident marked one of the most costly cyberattacks in UK retail history and triggered a wave of similar attacks across the sector.

The Attack That Paralyzed a British Icon

On April 22, 2025, Marks & Spencer—one of Britain’s most iconic and trusted retailers with 141 years of history—publicly disclosed a “cyber incident” that would evolve into one of the most damaging ransomware attacks ever experienced by a UK retailer. What initially appeared as a contained IT issue quickly spiraled into a full-scale operational crisis affecting the company’s 565 stores and 64,000 employees.

The attack forced M&S to pause all online clothing and home product orders through its website and mobile app by April 25. In-store systems were severely impacted, with contactless payment terminals failing and digital services including click-and-collect becoming unavailable. The company’s warehouse operations ground to a halt, and hundreds of staff members were sent home as emergency response teams worked to contain the damage.

According to Reuters, the attack wiped over £1 billion from M&S’s stock market value and represented a catastrophic blow to a company that had been trading strongly before the incident.

Who Are Scattered Spider and DragonForce?

The M&S breach was attributed to a collaboration between two sophisticated threat actor groups: Scattered Spider and DragonForce.

Scattered Spider is a notorious English-speaking cybercriminal collective known for highly effective social engineering tactics. Unlike typical ransomware affiliates who rely on technical exploits, Scattered Spider specializes in human manipulation—impersonating IT help desk personnel, conducting sophisticated phishing campaigns, and using SIM-swapping techniques to bypass multi-factor authentication. The group gained international notoriety for previous attacks on major organizations including MGM Resorts and Caesars Entertainment.

DragonForce operates as a Ransomware-as-a-Service (RaaS) provider, offering its malware platform to affiliate attackers for a 20% cut of ransom payments. According to Specops Software, DragonForce emerged in August 2023 and quickly evolved from a pro-Palestinian hacktivist group into a profit-driven criminal enterprise. Their ransomware is built on leaked source code from infamous operations like LockBit 3.0 and Conti, providing a robust and tested foundation.

The partnership between Scattered Spider’s social engineering expertise and DragonForce’s powerful encryption tools created a formidable threat that traditional security controls struggled to detect and prevent.

Timeline of the Breach and Response

February 2024: Attackers quietly obtained M&S’s Active Directory database (NTDS.dit) containing password hashes for thousands of accounts, which they cracked offline over subsequent months.

Easter Weekend 2025 (April 19-21): M&S security teams detected suspicious activity in their systems after threat actors had already established deep access.

April 22, 2025: M&S publicly disclosed the cyber incident, initially characterizing it as contained.

April 25, 2025: The company was forced to stop taking all clothing and home orders through its website and app as the full scope of the ransomware deployment became apparent.

May 13, 2025: M&S confirmed that customer personal information was stolen in the attack, according to Reuters reporting.

May 15, 2025: Food availability began improving as stock forecasting systems were restored.

May 21, 2025: In its annual results presentation, M&S quantified the expected impact at approximately £300 million in lost profit, with disruption anticipated to extend into July.

June 10, 2025: A limited selection of fashion products became available online for home delivery in England, Wales, and Scotland—more than seven weeks after the initial shutdown.

August 11, 2025: M&S finally restored click-and-collect services, 15 weeks after the attack began, marking a significant milestone in the recovery process.

How the Attack Unfolded: Technical Breakdown

According to detailed technical analysis from Picus Security, the DragonForce attack on M&S followed a sophisticated multi-stage process:

Initial Access: Attackers used social engineering techniques to target IT help desk staff at Tata Consultancy Services (TCS), M&S’s third-party IT service provider. By posing as legitimate employees, they convinced help desk personnel to reset credentials and grant access to critical systems. Two TCS employee login credentials were specifically used to breach M&S’s network.

Credential Harvesting: Once inside, attackers deployed tools like Mimikatz to dump credentials from LSASS memory and extracted the complete Active Directory database. With domain administrator privileges in hand, they could access virtually any system within the M&S environment.

Persistence: The attackers established multiple backdoors using:

• Registry Run keys for automatic malware execution on system startup
• Scheduled tasks to maintain access
• Windows services running with system-level privileges
• Cobalt Strike beacons for command and control

Defense Evasion: DragonForce affiliates aggressively disabled security controls using “Bring Your Own Vulnerable Driver” (BYOVD) techniques. They deployed legitimate but vulnerable kernel drivers like RogueKiller Anti-Rootkit Driver to terminate antivirus and EDR processes. Windows Event Logs were systematically deleted to impede forensic investigations.

Lateral Movement: Using stolen RDP credentials and SMB administrative shares, attackers spread throughout M&S’s network infrastructure. They specifically targeted VMware ESXi hosts—a strategic choice that allowed them to encrypt entire virtual server environments in a single strike.

Data Exfiltration: Before deploying ransomware, attackers exfiltrated massive amounts of sensitive data including customer information, employee records, and proprietary business data. This enabled the double-extortion tactic of threatening to publish stolen data if ransom demands weren’t met.

Encryption: The final phase involved deploying DragonForce ransomware across Windows, Linux, and VMware ESXi systems simultaneously, using robust RSA and AES encryption to render critical business data and services completely inaccessible.

The Devastating Financial Toll

The M&S cyber attack resulted in one of the most expensive ransomware incidents in UK corporate history, with total expected losses reaching £300 million—equivalent to approximately 30.5% of the company’s annual operating profit.

According to The Guardian, the financial impact breakdown included:

• Direct lost sales: Approximately two-thirds of the £300 million stemmed from lost online clothing and home product sales
• Increased operational costs: Manual processing requirements dramatically increased labor costs
• Food waste: Disrupted supply chain systems led to elevated food spoilage
• Recovery expenses: Costs associated with incident response, forensic investigation, and system rebuilding
• Stock clearance losses: Deeper-than-normal end-of-season discounts required to clear unsold inventory

Weekly Profit Impact: Deutsche Bank analysts estimated the attack cost M&S approximately £15 million per week in lost profit during the height of the disruption.

Market Value Impact: Over £1 billion was wiped from M&S’s stock market valuation in the immediate aftermath of the attack disclosure.

Insurance and Mitigation: M&S aimed to recover approximately half of the £300 million impact (around £150 million) through cyber insurance coverage, cost reduction initiatives, and other mitigation actions. However, as CNBC reported, this still left a massive financial burden on the company.

Before the attack, M&S had posted strong annual results with underlying profits rising 22% to £876 million and overall sales up 6% to £13.9 billion—making the timing of the breach particularly devastating as it interrupted a period of robust growth.

Operational Chaos and Recovery Challenges

The operational impact of the DragonForce ransomware extended far beyond simple system downtime. M&S faced a complete breakdown of integrated digital systems that modern retailers depend on for daily operations.

Online Channel Paralysis: With online sales accounting for approximately one-third of M&S’s clothing and home sales (approximately £3.8 million in daily online revenue), the weeks-long shutdown represented catastrophic revenue loss during the crucial spring and early summer shopping season when customers typically refresh their wardrobes.

In-Store System Failures: Physical stores experienced:

• Contactless payment system outages
• Click-and-collect service unavailability
• Stock forecasting system breakdowns affecting product availability
• Manual workarounds that slowed transactions and frustrated customers

Supply Chain Disruption: According to BBC News, M&S suppliers were severely affected. Greencore, which supplies sandwiches, rolls and wraps, reported having to use pen and paper for orders and ramped up deliveries by 20% to ensure sufficient inventory for the bank holiday weekend.

Workforce Impact: Hundreds of warehouse staff were sent home as distribution operations were halted. Store employees worked under tremendous pressure managing frustrated customers and operating with degraded systems, raising concerns about morale and retention.

Recovery Prioritization: M&S leadership made the strategic decision to prioritize safety and complete system restoration over speed. This meant methodically rebuilding infrastructure rather than attempting quick patches—a process that ensured long-term security but extended customer-facing service disruptions.

The company accelerated planned IT modernization initiatives, conducting two years’ worth of system upgrades in just six months. This “forced modernization” may ultimately strengthen M&S’s security posture, but came at tremendous cost and operational pain.

Customer Data Compromise

Beyond the operational and financial damage, the M&S attack resulted in a significant data breach affecting thousands of customers. The company confirmed that attackers successfully exfiltrated personal information including:

• Customer names
• Home addresses and contact details
• Phone numbers and email addresses
• Dates of birth
• Online order histories

Data Not Compromised: M&S was quick to clarify that usable payment card details and account passwords were not among the stolen data—providing some relief to concerned customers.

Customer Response Requirements: M&S prompted all affected customers to reset their passwords “for peace of mind” and warned them to remain vigilant against potential:

• Phishing attempts using stolen personal information
• Identity theft schemes
• Social engineering attacks leveraging order history details

The data breach component significantly amplified the reputational damage to M&S, which YouGov had ranked as Britain’s best retail brand just the year before. Trust—built over 141 years—was suddenly at risk as customers questioned whether their personal information was secure with the retailer.

The stolen data also enabled DragonForce’s double-extortion strategy. By threatening to publish sensitive customer and business data on their dark web leak site, the attackers increased pressure on M&S to meet ransom demands. M&S followed UK government advice and refused to pay, but this decision meant accepting the risk of potential data publication.

The Third-Party Vendor Weakness

One of the most critical revelations from the M&S breach was the exploitation of third-party vendor relationships—specifically Tata Consultancy Services (TCS), which managed M&S’s IT help desk and other technology services.

According to CEO Stuart Machin’s statements reported by The Guardian, threat actors gained access “via one of M&S’s contractors using social engineering techniques.” Reuters specifically identified that at least two TCS employee logins were used as part of the breach.

The Third-Party Attack Vector:

• Attackers targeted TCS help desk personnel who had legitimate access to M&S systems
• Social engineering tactics convinced these personnel to reset credentials or grant access
• Once inside via the TCS connection, attackers could pivot to M&S’s core infrastructure
• M&S’s own IT systems were not directly compromised—the weakness existed in the trusted third-party relationship

Broader Supply Chain Implications: This attack highlighted a critical vulnerability affecting organizations globally: even robust internal security controls can be bypassed through trusted vendors with privileged access. The M&S incident demonstrated that:

• Third-party risk management must extend beyond contractual agreements to include active security monitoring
• Help desk operations represent high-value targets for social engineering
• Privileged access granted to service providers requires additional security layers
• Vendor security posture directly impacts client organization risk

Contractual Consequences: Following the breach, reports emerged that M&S was reviewing its relationship with TCS, with potential termination of service desk contracts under consideration as the retailer sought to prevent similar incidents.

This third-party dimension transformed the M&S breach from an isolated incident into a cautionary tale about supply chain security that resonated across industries and prompted widespread vendor security reassessments.

Part of a Coordinated UK Retail Attack Wave

The M&S attack was not an isolated incident but part of a coordinated campaign targeting major UK retailers throughout April and May 2025. According to Picus Security research, this retail-focused offensive demonstrated both sophistication and ambition from the Scattered Spider and DragonForce partnership.

Additional Confirmed Victims:

Co-op Group (Late April 2025): Days after the M&S attack, the Co-op—a major UK grocery and insurance retailer—disclosed that hackers had attempted to break into its systems. Initially characterized as contained with minimal impact, internal communications later revealed the severity. The Co-op suspended VPN access for all staff and instructed employees to verify all attendees on video during Teams meetings, suggesting attackers had potentially compromised internal accounts. The Co-op’s aggressive isolation of IT systems likely prevented the full ransomware deployment that devastated M&S.

Harrods (Early May 2025): The luxury London department store confirmed a cyberattack on May 1, 2025, becoming the third high-profile UK retailer hit within two weeks. Harrods’ IT security team restricted all internet access at stores and facilities as a precautionary measure. The attack was detected and contained before causing major operational disruption, with stores remaining operational and online shopping continuing. However, the timing and tactics suggested connection to the same threat actors.

Pattern Recognition: Security researchers noted consistent attack methodologies across all three incidents:

• Social engineering targeting IT help desks and service providers
• Focus on credential theft and lateral movement
• Deployment of DragonForce ransomware or preparation for deployment
• Double-extortion tactics threatening data publication

US Expansion: Google’s Threat Analysis Group warned in mid-May 2025 that the same attackers responsible for the UK retail campaign were shifting focus to target US companies, suggesting an evolving and expanding threat beyond UK borders.

Industry-Wide Impact: The concentrated assault on UK retail during a critical shopping period appeared strategically designed to maximize pressure on victims and demonstrate the attackers’ capabilities. It prompted urgent security reviews across the entire retail sector globally.

Critical Lessons for Enterprise Security

The M&S breach provides invaluable insights for organizations seeking to strengthen their cybersecurity posture against sophisticated ransomware operations:

1. Social Engineering Remains the Primary Threat Vector Technical defenses are only as strong as the human element. Organizations must:

• Implement phishing-resistant MFA using FIDO2 security keys rather than SMS-based authentication
• Conduct regular social engineering awareness training specifically for help desk personnel
• Establish strict verification procedures before granting access or resetting credentials
• Test employee resistance through simulated social engineering exercises

2. Third-Party Risk Requires Active Management The TCS connection exploitation demonstrates that vendor security is organizational security:

• Conduct thorough security assessments of all third-party providers with system access
• Implement zero-trust architectures that verify every access request regardless of source
• Monitor third-party privileged access with the same rigor as internal access
• Include security breach liability and response requirements in vendor contracts
• Regularly audit vendor compliance with security standards

3. Credential Protection Is Critical With attackers obtaining the complete Active Directory database months before deployment:

• Implement credential hygiene programs with regular password rotations for privileged accounts
• Deploy Credential Guard and LSASS memory protection on all Windows endpoints
• Monitor for suspicious AD database access and DCSync function use
• Apply principle of least privilege to minimize high-value credential exposure
• Use separate accounts for administrative tasks versus everyday operations

4. Defense-in-Depth Cannot Rely on Single Layers DragonForce’s ability to disable security controls using BYOVD techniques highlights the need for:

• Hypervisor-Protected Code Integrity (HVCI) to prevent unauthorized driver loading
• Kernel-mode driver blocklists preventing known vulnerable drivers
• Tamper-resistant EDR deployment configurations
• Network segmentation to limit lateral movement even after endpoint compromise
• Multi-vendor security stack to prevent single points of failure

5. Backup Strategy Must Assume Attacker Access With attackers systematically targeting backup systems:

• Maintain immutable offline backups that cannot be accessed from production networks
• Test backup restoration procedures regularly under simulated attack conditions
• Implement air-gapped backup copies for critical systems
• Monitor backup system access as closely as production systems
• Design backup architecture assuming attackers will attempt to destroy recovery options

6. Incident Response Preparation Accelerates Recovery M&S’s prior simulation exercises enabled faster initial response:

• Conduct tabletop exercises simulating ransomware scenarios
• Pre-establish incident response teams with clear roles and authorities
• Document and test communication plans for customers, employees, and stakeholders
• Maintain relationships with forensic investigators and legal counsel before incidents occur
• Ensure cyber insurance coverage is comprehensive and claim procedures are understood

7. Recovery Requires Balancing Speed with Security M&S’s decision to prioritize complete system restoration over rapid recovery:

• Prevented reinfection from incompletely removed attacker access
• Allowed security hardening during rebuilding process
• Required transparent customer communication about extended timelines
• Ultimately may result in stronger long-term security posture

8. Financial Planning Must Include Cyber Risk The £300 million impact demonstrates cyber risk as enterprise-level financial exposure:

• Cyber insurance should be evaluated as part of comprehensive risk management
• Financial models should include realistic ransomware impact scenarios
• Board-level oversight of cybersecurity investments should reflect potential loss magnitude
• Recovery costs extend far beyond ransom demands to include operational disruption

The M&S incident serves as a sobering reminder that even well-established organizations with substantial resources can fall victim to determined, sophisticated attackers. The combination of social engineering expertise and powerful ransomware capabilities represents a threat that requires constant vigilance, layered defenses, and organizational commitment to security at all levels.

Sources

• Reuters: M&S slow recovery from cyberattack puts it at risk of lasting damage
• The Guardian: M&S expects cyber-attack to last into July and cost £300m in lost profits
• BBC News: M&S cyber attack: What we know about it and its impact
• Picus Security: Retail Under Fire: Inside the DragonForce Ransomware Attacks
• Specops Software: DragonForce: Inside the Ransomware-as-a-Service group
• CNBC: M&S cyberattack to wipe out nearly one-third of annual profits
• BlackFog: Marks & Spencer Breach: How A Ransomware Attack Crippled a UK Retailer