Marks & Spencer (M&S), one of the UK’s largest retailers, has confirmed that a sophisticated social engineering attack was the initial vector for a major ransomware incident in April 2025. The breach, attributed to the DragonForce ransomware group, resulted in the encryption of critical systems and the theft of approximately 150GB of sensitive data. The attack underscores the growing threat of impersonation tactics and the risks associated with third-party service providers.
How the Attack Unfolded
Sophisticated Impersonation
- The breach began on April 17, 2025, when attackers impersonated an M&S employee to trick a third-party help desk into resetting a password.
- The attackers used detailed personal information to convincingly pose as a legitimate staff member, a method described by M&S chairman Archie Norman as “sophisticated impersonation.”
- The third-party involved was Tata Consultancy Services, which provides IT help desk support for M&S. Tata is believed to have been manipulated into resetting the password, granting attackers access to the M&S network.
Entry to Ransomware Deployment
- Once inside, the attackers deployed DragonForce ransomware, a group believed to operate out of Asia but distinct from the similarly named hacktivist group “DragonForce Malaysia.”
- The attack was linked to threat actors associated with Scattered Spider, who have a history of leveraging social engineering for initial access.
Impact and Response
Double-Extortion Tactics
- The ransomware encrypted numerous VMware ESXi servers, disrupting M&S operations.
- Approximately 150GB of data was stolen, with the attackers threatening to publish the data if a ransom was not paid—a classic double-extortion approach.
- M&S proactively shut down all systems to contain the attack, but the encryption and data theft had already occurred.
Ransom Negotiations
- M&S leadership decided not to engage directly with the attackers, instead relying on professional ransomware negotiators.
- When questioned about ransom payments, M&S declined to provide details, citing public interest and ongoing cooperation with the National Crime Agency (NCA) and authorities.
- As of the latest update, the stolen data has not appeared on DragonForce’s leak site, suggesting either a ransom was paid or negotiations are ongoing.
Key Lessons and Security Implications
Third-Party and Social Engineering Risks
- The attack highlights the vulnerability of large organizations to social engineering, especially when third-party vendors are involved in critical support roles.
- Even with advanced technical defenses, human factors and supply chain partners remain a significant risk vector.
Ransomware Trends
- DragonForce’s use of double-extortion tactics is now standard among major ransomware groups.
- The incident demonstrates the importance of rapid response, professional negotiation, and transparent communication with authorities.