Intermediate

Hot Takes: Inside a Microsoft Ransomware Attack

The Marks & Spencer incident is a textbook example of how modern ransomware operations succeed by targeting identity infrastructure and virtualization hosts rather than individual endpoin...

Table of Contents

Module 1: Inside the M&S Ransomware Attack

Incident Overview and Timeline

Marks & Spencer (M&S), a major UK retailer, experienced what it officially describes as a “cyber incident,” though all available indicators point to a ransomware attack. At the time this material was recorded, the situation was still unfolding, but the key facts already understood were as follows:

  • Attackers are believed to have gained initial access in February of the year in question.
  • The intrusion only became public on 19 April, meaning the attackers had an extended dwell time on the network of roughly two months before disclosure.
  • During that dwell time, the attackers exfiltrated the Active Directory database, obtaining password hashes for every domain account — administrators, standard users, and service accounts alike.

This “loiter and harvest” behavior — spending significant time inside the network before taking disruptive action — mirrors tactics seen from other threat actors such as Volt Typhoon, although the motivations and follow-on actions differ (nation-state pre-positioning vs. criminal ransomware monetization).

timeline
    title M&S Incident Chronology
    February : Initial access gained by attackers
             : Extended dwell time begins
    During dwell time : Active Directory database exfiltrated
                       : Password hashes obtained for all domain accounts
                       : Lateral movement across the network
    19 April : Incident becomes public
             : M&S confirms a "cyber incident"
    Following weeks : DragonForce ransomware deployed against ESXi servers
                     : Business operations disrupted (click-and-collect, online orders, in-store systems)
                     : Recovery and identity infrastructure rebuild begins

Initial Access and Active Directory Compromise

The most consequential technical event in this attack was the exfiltration of the Active Directory database. Once an attacker has a copy of this database, they effectively hold “the keys to the kingdom”: every account’s password hash can be cracked or relayed offline, at leisure, without triggering account lockout policies or other live-network detections.

With cracked or replayed credentials in hand, the attackers were able to move laterally across the network largely undetected, because they were authenticating as legitimate accounts rather than exploiting a technical vulnerability at each hop. This is why credential-focused attacks against identity infrastructure are considered so much more dangerous than a single-host compromise: capturing the domain’s credential material collapses the effort needed for lateral movement across the entire environment down to almost zero.

Once the attackers had established a solid foothold across the environment, they deployed the DragonForce ransomware, specifically targeting VMware ESXi hosts — a deliberate choice that maximized the operational impact of the encryption event.

Threat Actor Profile: Scattered Spider

The group linked to this attack is known as Scattered Spider. Unlike many stereotypical ransomware crews based in Eastern Europe or Russia, Scattered Spider is composed largely of young, English-speaking individuals based in the United States and United Kingdom. They are highly capable in both social engineering and technical exploitation, and they operate in loosely affiliated, collaborative communities that coordinate over platforms like Discord and Telegram.

Key characteristics of the group:

  • They frequently act as an affiliate for different ransomware operations rather than running a single, static toolset — deploying whichever encryptor payload (in this case, DragonForce) suits a given engagement.
  • They blend high-tech attacks with low-tech manipulation, including:
    • SIM swapping to hijack phone numbers used for account recovery or MFA.
    • Phishing calls to IT help desks, impersonating employees.
    • Social engineering staff into resetting multi-factor authentication (MFA) for accounts the attacker does not own.
  • Their playbook in the M&S case follows a now-familiar pattern: deep credential harvesting (the Active Directory dump), lateral movement using those harvested credentials, and deployment of a ransomware encryptor to halt operations.

DragonForce Ransomware and the Targeting of VMware ESXi

DragonForce, the ransomware payload deployed in this attack, was specifically aimed at VMware ESXi servers. This is a deliberate and increasingly common tactic among ransomware operators, because ESXi hosts are frequently a single point of failure for large virtualized environments.

Encrypting the hypervisor layer — rather than individual guest operating systems — has an outsized effect: instead of losing individual files, the organization loses entire virtual machines simultaneously, rendering everything built on top of that infrastructure unusable except for the bare host itself. This same technique has previously been observed against Hyper-V environments in other incidents, confirming that hypervisor-level encryption is now a standard ransomware objective rather than an edge case.

In the M&S case, the compromised VMs supported core business functions, including:

  • Click-and-collect order processing
  • Online order fulfillment
  • In-store systems, including point-of-sale/payment processing
  • Shelf restocking logistics

Because so many operational systems depended on the same virtualized infrastructure, the ransomware event translated directly into widespread, customer-visible business disruption — some store locations were unable to process payments or restock shelves at all.

sequenceDiagram
    autonumber
    participant Attacker
    participant Endpoint as Compromised Endpoint / Help Desk
    participant AD as Active Directory
    participant Net as Internal Network
    participant ESXi as VMware ESXi Hosts
    participant Biz as Business Systems<br/>(POS, click-and-collect, online orders)

    Attacker->>Endpoint: Initial access (Feb) via social engineering /<br/>credential compromise
    Attacker->>AD: Exfiltrate Active Directory database<br/>(password hashes for all domain accounts)
    Note over Attacker,AD: Extended dwell time (~2 months)<br/>before public disclosure
    Attacker->>Attacker: Crack/relay password hashes offline
    Attacker->>Net: Lateral movement using<br/>harvested/cracked credentials
    Attacker->>ESXi: Deploy DragonForce ransomware<br/>targeting hypervisor hosts
    ESXi-->>Biz: Virtual machines encrypted,<br/>entire business functions taken offline
    Note over Biz: Click-and-collect, online orders,<br/>and in-store payment/restocking disrupted
    Attacker->>Attacker: Retain stolen data for<br/>double-extortion leverage

Business and Financial Impact

The financial impact of the attack on M&S was severe:

  • The company lost more than £700 million (over $900 million USD) in market capitalization.
  • The e-commerce arm of the business, which normally generates nearly £4 million (over $5 million USD) per day, was completely suspended during the incident.

This illustrates how a ransomware event against core infrastructure (identity systems and virtualization hosts) can cascade into direct, measurable revenue loss at a scale far beyond the cost of any ransom payment or recovery effort.

Comparison to Prior Scattered Spider Campaigns: MGM and Caesars (2023)

Scattered Spider’s tactics in the M&S incident closely mirror the group’s earlier, well-documented attacks against MGM Resorts and Caesars Entertainment in 2023. In both of those cases, the group impersonated employees over the phone to convince IT help desk staff to reset multi-factor authentication, granting the attackers deep access to internal systems without needing to break any cryptography or exploit a software vulnerability.

AspectMGM Resorts (2023)Caesars Entertainment (2023)Marks & Spencer (this incident)
Initial accessHelp desk social engineering to reset MFAHelp desk social engineering to reset MFACredential compromise leading to AD database exfiltration
Credential/identity impactDeep internal access via reset MFADeep internal access via reset MFAFull domain password hash exfiltration
Business disruptionSlot machines offline, hotel check-ins disrupted, digital room keys stopped workingLimited public operational disruption reportedClick-and-collect, online orders, and in-store systems disrupted; e-commerce suspended
Extortion approachEncryption + disruptionRansom paid (~$15 million) to prevent data leak, no major operational encryption reportedEncryption (DragonForce on ESXi) + data theft (double extortion)
OutcomeWidespread outages, reputational damageRansom paid, data leak reportedly avoidedOver £700M market cap loss, e-commerce suspended

The comparison highlights an important evolution in the group’s approach: it is no longer just about encrypting systems. Attackers increasingly exfiltrate data first and use the threat of publicly leaking it as additional leverage — a double-extortion model that applies pressure whether or not the victim can restore from backup.

MITRE ATT&CK Technique Mapping

TacticTechnique IDTechnique NameObserved in this incident
Reconnaissance / Resource DevelopmentT1589Gather Victim Identity InformationUsed to support help-desk impersonation and social engineering
Initial AccessT1566 / T1656Phishing / ImpersonationPhishing IT help desks, impersonating employees to reset MFA
Credential AccessT1003OS Credential Dumping (Active Directory)Exfiltration of the Active Directory database and password hashes
Credential AccessT1621Multi-Factor Authentication Request Generation / MFA reset abuseTricking staff into resetting MFA for attacker-controlled sessions
DiscoveryT1087Account DiscoveryEnumerating domain accounts after AD compromise
Lateral MovementT1550Use Alternate Authentication Material (Pass the Hash)Using cracked/relayed hashes to move across the network undetected
Lateral MovementT1021Remote ServicesMoving between hosts using harvested credentials
ExfiltrationT1567Exfiltration Over Web ServiceData theft used for double-extortion leverage
ImpactT1486Data Encrypted for ImpactDragonForce ransomware deployed against ESXi hosts
ImpactT1490Inhibit System RecoveryTargeting/encrypting accessible backups to prevent restoration

Recovery Challenges After Identity Compromise

Recovering from this style of attack is far more complex than simply restoring from a tape backup, especially for an organization of M&S’s scale. Once the password hashes for the entire domain have been exfiltrated, the organization’s entire identity infrastructure must be considered compromised:

  • Domain controllers and service accounts can no longer be trusted.
  • Restoring a backup is not safe while the attacker may still have a foothold in the environment — doing so risks simply reintroducing the compromise.
  • The realistic remediation path is to rebuild identity infrastructure from scratch: resetting every account, reimaging affected machines, and doing all of this while under significant operational and public pressure.

VMware ESXi has become a favorite ransomware target precisely because compromising the hypervisor is so effective — attackers are now customizing ransomware tooling specifically for ESXi. The impact is not the loss of individual files, but the loss of entire virtual machines supporting whole categories of business operations.

A further complication: if backups are accessible from the compromised network and are not properly isolated, attackers can encrypt or destroy those backups as well, cutting off the victim’s recovery path entirely. In observed cases, threat actors have been known to:

  1. Locate and physically destroy on-site backup copies.
  2. Compromise cloud/backup provider API credentials to wipe or corrupt online/offline-replicated backups as well.

This underscores the importance of maintaining a genuinely isolated, offline or air-gapped physical backup copy that is unreachable from the production network under any circumstance.

Regulatory Obligations Under UK GDPR

Because the incident involved personal data, M&S faces the same regulatory obligations any UK organization would face under GDPR:

  • Notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a breach involving personal data.
  • Inform affected customers directly if the breach poses a risk to their rights and freedoms.

The timing and precise wording of these breach communications matter significantly — errors or delays in notification can lead to substantial regulatory fines and additional legal exposure on top of the direct costs of the incident itself.

Wider Retail Sector Targeting: Co-op and Harrods

Around the same period, other UK retailers — including Co-op and Harrods — also disclosed cyberattacks. At the time of recording it was not yet confirmed whether these incidents were connected to the M&S attack or to each other, or whether ransomware was even involved in all cases. Regardless of direct linkage, the pattern is notable: retailers are clearly a high-value target for attackers right now.

Retailers are an attractive target because they concentrate several high-value data and operational assets in one place:

  • Payment card and transaction data
  • Personal customer data
  • Logistics and supply chain systems

This mirrors a broader pattern observed in 2024, when there was a wave of attacks against edge-facing devices across many industries. It remains an open question whether these retail incidents share a common exploited vulnerability (such as an unpatched zero-day in a system widely used by retailers), or whether they simply reflect the same threat actors applying a proven social-engineering-plus-ransomware playbook against a sector that is highly exposed due to:

  • Rapid expansion of digital/omnichannel operations increasing the overall attack surface.
  • Deep interconnection between IT and operational/point-of-sale systems.
  • Downtime being immediately, publicly visible — giving attackers additional extortion leverage, since disruption alone (independent of any data leak) damages the brand and revenue.

Defensive Recommendations

Drawing on the lessons from the M&S incident and its predecessors at MGM and Caesars, the following defensive priorities are recommended for any organization, but especially for retailers and other consumer-facing businesses with large, interconnected environments:

mindmap
  root((Defend Against Scattered-Spider-Style Ransomware))
    Identity and Access Management
      Zero-trust approach to IAM
      Robust multi-factor authentication
      Secure MFA reset workflows
      Help desk identity verification via multiple channels
      Step-up authentication for privileged/sensitive actions
    Network Segmentation
      Avoid flat networks
      Segment ESXi hosts and identity infrastructure
      Enforce internal firewalls / zero-trust network access
    Incident Response Readiness
      Tested IR and disaster recovery plans
      Tabletop exercises and red team drills
      Documentation usable by an average employee
      Practice to build response muscle memory
    Backup Resilience
      Immutable backups
      Air-gapped or isolated backup copies
      Regular recovery drills
      Verify restores do not reintroduce malware
    Organizational Culture
      Patch systems, but do not stop there
      Harden people and processes, not just technology
      Assume any digital-presence brand is a target
Recommendation AreaSpecific ActionWhy It Matters
Identity & Access ManagementEnforce zero-trust IAM and robust MFAPrevents attackers from relying solely on a single reused/harvested credential
Help Desk ProceduresRequire multi-channel identity verification before any MFA resetDirectly counters the SIM-swap / help-desk impersonation tactic used by Scattered Spider
Privileged AccessRequire step-up authentication for sensitive administrative actionsLimits blast radius even if a standard account is compromised
Network ArchitectureSegment critical systems (ESXi hosts, identity infrastructure) away from general user trafficSlows or blocks lateral movement even after initial access
Network ControlsDeploy internal firewalls / zero-trust network access (ZTNA)Reduces the effectiveness of “flat network” lateral movement
Incident ResponseRun tabletop exercises and red team drills regularlyBuilds the muscle memory needed to respond quickly under real pressure
DocumentationWrite IR runbooks so a typical employee could follow themEnsures response is not bottlenecked on a small number of experts
Backup StrategyMaintain immutable, air-gapped/offline backup copiesPrevents attackers from encrypting or destroying the organization’s last resort for recovery
Backup ValidationRegularly test restoresConfirms backups actually work and do not reintroduce attacker malware
Strategic PostureTreat identity compromise as equivalent to full domain compromiseDrives faster, more realistic recovery decisions (rebuild vs. simple restore)

Summary

The Marks & Spencer incident is a textbook example of how modern ransomware operations succeed by targeting identity infrastructure and virtualization hosts rather than individual endpoints. The attackers, attributed to the Scattered Spider collective, combined social-engineering-driven credential access with a full Active Directory database exfiltration, giving them the ability to move laterally undetected before deploying the DragonForce ransomware directly against VMware ESXi hosts. Because so much business-critical infrastructure was virtualized on those hosts, the resulting encryption event caused widespread, customer-visible disruption to click-and-collect, online ordering, and in-store systems, and translated into a loss of more than £700 million in market capitalization along with a full suspension of the e-commerce business.

This incident, and its clear parallels to the 2023 MGM and Caesars attacks, reinforces several durable lessons:

  • Identity compromise is total compromise. Once a domain’s credential material is exfiltrated, every account and every domain controller must be treated as untrustworthy, and recovery means rebuilding identity from scratch — not simply restoring a backup.
  • Hypervisors are a single point of failure. Ransomware operators increasingly target ESXi and other hypervisor platforms directly because doing so multiplies the impact of a single encryption event across entire fleets of virtual machines.
  • Double extortion is now standard. Attackers exfiltrate data before encrypting, so paying (or refusing to pay) a ransom no longer guarantees the absence of a data leak.
  • Backups must be genuinely isolated. Backups reachable from the compromised network are routinely targeted and destroyed or encrypted by attackers as part of the same campaign.
  • Regulatory timelines add pressure. UK GDPR’s 72-hour ICO notification requirement means breach communications must be prepared accurately and quickly, in parallel with technical containment.
  • Retail is a high-value target sector. The concentration of payment data, personal data, and logistics systems — combined with highly visible customer-facing downtime — makes retailers especially attractive to groups like Scattered Spider.

Defensive Checklist

  • Enforce zero-trust identity and access management with robust MFA everywhere.
  • Require multi-channel identity verification for any help desk-initiated MFA or credential reset.
  • Apply step-up authentication for privileged or sensitive administrative actions.
  • Segment critical infrastructure (hypervisors, domain controllers, identity systems) away from general network traffic.
  • Deploy internal firewalls or zero-trust network access to limit lateral movement.
  • Maintain immutable, air-gapped, or otherwise isolated offline backups that cannot be reached or altered from the production network.
  • Regularly test backup restoration to confirm integrity and confirm restores do not reintroduce attacker malware.
  • Run tabletop exercises and red team drills on a recurring basis, not just as a one-time compliance exercise.
  • Write incident response documentation clear enough for a non-specialist employee to execute.
  • Treat any confirmed Active Directory/credential exfiltration as a full identity compromise requiring a ground-up rebuild, not a simple restore.
  • Prepare breach notification processes in advance so regulatory deadlines (e.g., GDPR’s 72-hour ICO notification) can be met accurately under pressure.

Search Terms

hot · takes · inside · microsoft · ransomware · attack · security · threat · intel · networking · systems · compromise · defensive · scattered · spider · targeting

More Security Hot Takes & Threat Intel courses

View all 21

Interested in this course?

Contact us to book it or get a custom training plan for your team.