Marks & Spencer DragonForce ransomware (Scattered Spider, 2025)
Social-engineering of a third-party service desk gave Scattered Spider a domain administrator, which they used to deploy DragonForce ransomware on M&S's VMware ESXi estate at Easter 2025 — knocking out contactless payments, Click & Collect, and online ordering for over six weeks.
- Victim
- Marks & Spencer
- Loss
- $550.0M
In April 2025, Marks & Spencer — one of the UK's largest retailers — was crippled by a ransomware attack that bridged two of the most prolific English-speaking extortion crews: Scattered Spider for the initial intrusion, DragonForce for the encryption payload. The disruption defined the UK retail cyber story of 2025 and is now a reference case for service-desk social engineering.
What happened
Attackers compromised M&S as early as February 2025, impersonating an employee on a call to a third-party service desk which then performed a password reset for them. From that foothold they escalated to a domain administrator and exfiltrated the Active Directory NTDS.dit file (which contains hashes for every account in the domain).
Disruption became visible to customers on Easter weekend, 19–21 April 2025, when contactless payments and Click & Collect started failing in stores. On 24 April the operators deployed DragonForce ransomware against M&S's VMware ESXi hosts, encrypting the virtual machines that ran e-commerce, payment processing, and logistics. The company suspended online ordering the next day; the website did not fully return for over six weeks.
M&S CEO Stuart Machin received a taunting message from DragonForce sent from an internal M&S employee account, confirming both the attribution and the depth of the access.
Impact
- Online ordering offline for ~46 days (25 April to 10 June 2025).
- Estimated annual profit hit: £300 million; total economic impact estimated by the UK Cyber Monitoring Centre at £270m–£440m ($350–550m) for the combined M&S / Co-op / Harrods campaign.
- Active Directory hash dump means every M&S domain credential had to be considered compromised and rotated.
- Four arrests by the UK National Crime Agency in July 2025, including a 17-year-old, linked to the campaign against UK retailers.
Why it matters
The intrusion did not require a zero-day or a sophisticated implant — it required a phone call to a help desk and a willingness to read a script. The weakest link was a third-party support contractor with the authority to reset passwords on privileged accounts. Identity verification at the help desk is now top of every UK retail CISO's agenda.
Financial impact
Reported costs in USD
- Business loss$400.0M
Timeline
Attackers gain initial access to M&S's network and exfiltrate the Active Directory NTDS.dit file after socially-engineering a password reset from a third-party service desk.
Easter weekend: in-store contactless payments and Click & Collect order pickups begin failing across the UK.
DragonForce ransomware is detonated against M&S's VMware ESXi hosts, encrypting virtual machines running e-commerce, payments, and logistics.
M&S suspends online shopping via website and mobile app.
M&S brings its website back online in read-only mode.
Limited online clothing orders resume after a 46-day outage.
UK National Crime Agency arrests four people, including a 17-year-old, in connection with the M&S, Co-op, and Harrods attacks.
Sources
- blackfog.comhttps://www.blackfog.com/marks-and-spencer-ransomware-attack/
- thehackernews.comhttps://thehackernews.com/2025/07/four-arrested-in-440m-cyber-attack-on.html
- picussecurity.comhttps://www.picussecurity.com/resource/blog/dragonforce-ransomware-attacks-retail-giants
- specopssoft.comhttps://specopssoft.com/blog/marks-spencer-ransomware-active-directory/