M&S hit by ransomware attack due to social engineering
▼ Summary
– M&S suffered a ransomware attack after a sophisticated impersonation breach on April 17, where threat actors tricked a third-party into resetting an employee’s password.
– The attack was linked to the DragonForce ransomware operation, believed to be based in Asia, and involved Scattered Spider threat actors.
– M&S shut down systems to contain the attack, but 150GB of data was stolen and VMware ESXi servers were encrypted using double-extortion tactics.
– M&S did not directly engage with the threat actors, instead relying on professionals, but refused to confirm if a ransom was paid.
– DragonForce has not leaked the stolen data, suggesting either a ransom was paid or negotiations are ongoing.
M&S recently fell victim to a sophisticated ransomware attack after cybercriminals used social engineering tactics to infiltrate the retailer’s systems. The breach, which occurred on April 17, involved threat actors impersonating an employee to manipulate a third-party service provider into resetting a password. This initial access point allowed the attackers to deploy DragonForce ransomware, causing widespread disruption.
During a UK parliamentary hearing, M&S chairman Archie Norman described the incident as a “sophisticated impersonation attack” rather than a simple password reset request. The attackers allegedly posed as a legitimate employee, leveraging detailed personal information to bypass security measures. While Norman avoided specifics, reports suggest IT outsourcing firm Tata Consultancy Services may have inadvertently facilitated the breach by resetting credentials under false pretenses.
DragonForce, the ransomware group behind the attack, is believed to operate from Asia, though confusion has arisen due to the unrelated hacktivist group “DragonForce Malaysia.” Security experts, however, link the incident to Scattered Spider, a cybercriminal collective known for high-profile ransomware campaigns. Once inside M&S’s network, the attackers encrypted VMware ESXi servers and allegedly stole around 150GB of sensitive data.
The company took drastic measures to contain the breach, including shutting down systems to prevent further spread. DragonForce typically employs double-extortion tactics, threatening to leak stolen data unless a ransom is paid. While no public data leaks have surfaced, the absence of an entry on DragonForce’s leak site suggests M&S may have negotiated privately.
When questioned about ransom payments, Norman remained evasive, stating the company deferred negotiations to “professionals experienced in such matters”, likely referencing specialized ransomware response firms. He declined to confirm whether a payment was made, citing public interest concerns, though authorities were fully briefed.
Given ransomware groups rarely abandon stolen data without compensation, the lack of leaks implies either a settlement was reached or discussions remain ongoing. The incident underscores the growing threat of social engineering attacks and the critical need for businesses to strengthen third-party security protocols.
(Source: Bleeping Computer)
