Table of Contents
- Module 1: Inside the M&S Ransomware Attack
- Incident Overview and Timeline
- Initial Access and Active Directory Compromise
- Threat Actor Profile: Scattered Spider
- DragonForce Ransomware and the Targeting of VMware ESXi
- Business and Financial Impact
- Comparison to Prior Scattered Spider Campaigns: MGM and Caesars (2023)
- Recovery Challenges After Identity Compromise
- Regulatory Obligations Under UK GDPR
- Wider Retail Sector Targeting: Co-op and Harrods
- Defensive Recommendations
- Summary
Module 1: Inside the M&S Ransomware Attack
Incident Overview and Timeline
Marks & Spencer (M&S), a major UK retailer, experienced what it officially describes as a “cyber incident,” though all available indicators point to a ransomware attack. At the time this material was recorded, the situation was still unfolding, but the key facts already understood were as follows:
- Attackers are believed to have gained initial access in February of the year in question.
- The intrusion only became public on 19 April, meaning the attackers had an extended dwell time on the network of roughly two months before disclosure.
- During that dwell time, the attackers exfiltrated the Active Directory database, obtaining password hashes for every domain account — administrators, standard users, and service accounts alike.
This “loiter and harvest” behavior — spending significant time inside the network before taking disruptive action — mirrors tactics seen from other threat actors such as Volt Typhoon, although the motivations and follow-on actions differ (nation-state pre-positioning vs. criminal ransomware monetization).
timeline
title M&S Incident Chronology
February : Initial access gained by attackers
: Extended dwell time begins
During dwell time : Active Directory database exfiltrated
: Password hashes obtained for all domain accounts
: Lateral movement across the network
19 April : Incident becomes public
: M&S confirms a "cyber incident"
Following weeks : DragonForce ransomware deployed against ESXi servers
: Business operations disrupted (click-and-collect, online orders, in-store systems)
: Recovery and identity infrastructure rebuild begins
Initial Access and Active Directory Compromise
The most consequential technical event in this attack was the exfiltration of the Active Directory database. Once an attacker has a copy of this database, they effectively hold “the keys to the kingdom”: every account’s password hash can be cracked or relayed offline, at leisure, without triggering account lockout policies or other live-network detections.
With cracked or replayed credentials in hand, the attackers were able to move laterally across the network largely undetected, because they were authenticating as legitimate accounts rather than exploiting a technical vulnerability at each hop. This is why credential-focused attacks against identity infrastructure are considered so much more dangerous than a single-host compromise: capturing the domain’s credential material collapses the effort needed for lateral movement across the entire environment down to almost zero.
Once the attackers had established a solid foothold across the environment, they deployed the DragonForce ransomware, specifically targeting VMware ESXi hosts — a deliberate choice that maximized the operational impact of the encryption event.
Threat Actor Profile: Scattered Spider
The group linked to this attack is known as Scattered Spider. Unlike many stereotypical ransomware crews based in Eastern Europe or Russia, Scattered Spider is composed largely of young, English-speaking individuals based in the United States and United Kingdom. They are highly capable in both social engineering and technical exploitation, and they operate in loosely affiliated, collaborative communities that coordinate over platforms like Discord and Telegram.
Key characteristics of the group:
- They frequently act as an affiliate for different ransomware operations rather than running a single, static toolset — deploying whichever encryptor payload (in this case, DragonForce) suits a given engagement.
- They blend high-tech attacks with low-tech manipulation, including:
- SIM swapping to hijack phone numbers used for account recovery or MFA.
- Phishing calls to IT help desks, impersonating employees.
- Social engineering staff into resetting multi-factor authentication (MFA) for accounts the attacker does not own.
- Their playbook in the M&S case follows a now-familiar pattern: deep credential harvesting (the Active Directory dump), lateral movement using those harvested credentials, and deployment of a ransomware encryptor to halt operations.
DragonForce Ransomware and the Targeting of VMware ESXi
DragonForce, the ransomware payload deployed in this attack, was specifically aimed at VMware ESXi servers. This is a deliberate and increasingly common tactic among ransomware operators, because ESXi hosts are frequently a single point of failure for large virtualized environments.
Encrypting the hypervisor layer — rather than individual guest operating systems — has an outsized effect: instead of losing individual files, the organization loses entire virtual machines simultaneously, rendering everything built on top of that infrastructure unusable except for the bare host itself. This same technique has previously been observed against Hyper-V environments in other incidents, confirming that hypervisor-level encryption is now a standard ransomware objective rather than an edge case.
In the M&S case, the compromised VMs supported core business functions, including:
- Click-and-collect order processing
- Online order fulfillment
- In-store systems, including point-of-sale/payment processing
- Shelf restocking logistics
Because so many operational systems depended on the same virtualized infrastructure, the ransomware event translated directly into widespread, customer-visible business disruption — some store locations were unable to process payments or restock shelves at all.
sequenceDiagram
autonumber
participant Attacker
participant Endpoint as Compromised Endpoint / Help Desk
participant AD as Active Directory
participant Net as Internal Network
participant ESXi as VMware ESXi Hosts
participant Biz as Business Systems<br/>(POS, click-and-collect, online orders)
Attacker->>Endpoint: Initial access (Feb) via social engineering /<br/>credential compromise
Attacker->>AD: Exfiltrate Active Directory database<br/>(password hashes for all domain accounts)
Note over Attacker,AD: Extended dwell time (~2 months)<br/>before public disclosure
Attacker->>Attacker: Crack/relay password hashes offline
Attacker->>Net: Lateral movement using<br/>harvested/cracked credentials
Attacker->>ESXi: Deploy DragonForce ransomware<br/>targeting hypervisor hosts
ESXi-->>Biz: Virtual machines encrypted,<br/>entire business functions taken offline
Note over Biz: Click-and-collect, online orders,<br/>and in-store payment/restocking disrupted
Attacker->>Attacker: Retain stolen data for<br/>double-extortion leverage
Business and Financial Impact
The financial impact of the attack on M&S was severe:
- The company lost more than £700 million (over $900 million USD) in market capitalization.
- The e-commerce arm of the business, which normally generates nearly £4 million (over $5 million USD) per day, was completely suspended during the incident.
This illustrates how a ransomware event against core infrastructure (identity systems and virtualization hosts) can cascade into direct, measurable revenue loss at a scale far beyond the cost of any ransom payment or recovery effort.
Comparison to Prior Scattered Spider Campaigns: MGM and Caesars (2023)
Scattered Spider’s tactics in the M&S incident closely mirror the group’s earlier, well-documented attacks against MGM Resorts and Caesars Entertainment in 2023. In both of those cases, the group impersonated employees over the phone to convince IT help desk staff to reset multi-factor authentication, granting the attackers deep access to internal systems without needing to break any cryptography or exploit a software vulnerability.
| Aspect | MGM Resorts (2023) | Caesars Entertainment (2023) | Marks & Spencer (this incident) |
|---|---|---|---|
| Initial access | Help desk social engineering to reset MFA | Help desk social engineering to reset MFA | Credential compromise leading to AD database exfiltration |
| Credential/identity impact | Deep internal access via reset MFA | Deep internal access via reset MFA | Full domain password hash exfiltration |
| Business disruption | Slot machines offline, hotel check-ins disrupted, digital room keys stopped working | Limited public operational disruption reported | Click-and-collect, online orders, and in-store systems disrupted; e-commerce suspended |
| Extortion approach | Encryption + disruption | Ransom paid (~$15 million) to prevent data leak, no major operational encryption reported | Encryption (DragonForce on ESXi) + data theft (double extortion) |
| Outcome | Widespread outages, reputational damage | Ransom paid, data leak reportedly avoided | Over £700M market cap loss, e-commerce suspended |
The comparison highlights an important evolution in the group’s approach: it is no longer just about encrypting systems. Attackers increasingly exfiltrate data first and use the threat of publicly leaking it as additional leverage — a double-extortion model that applies pressure whether or not the victim can restore from backup.
MITRE ATT&CK Technique Mapping
| Tactic | Technique ID | Technique Name | Observed in this incident |
|---|---|---|---|
| Reconnaissance / Resource Development | T1589 | Gather Victim Identity Information | Used to support help-desk impersonation and social engineering |
| Initial Access | T1566 / T1656 | Phishing / Impersonation | Phishing IT help desks, impersonating employees to reset MFA |
| Credential Access | T1003 | OS Credential Dumping (Active Directory) | Exfiltration of the Active Directory database and password hashes |
| Credential Access | T1621 | Multi-Factor Authentication Request Generation / MFA reset abuse | Tricking staff into resetting MFA for attacker-controlled sessions |
| Discovery | T1087 | Account Discovery | Enumerating domain accounts after AD compromise |
| Lateral Movement | T1550 | Use Alternate Authentication Material (Pass the Hash) | Using cracked/relayed hashes to move across the network undetected |
| Lateral Movement | T1021 | Remote Services | Moving between hosts using harvested credentials |
| Exfiltration | T1567 | Exfiltration Over Web Service | Data theft used for double-extortion leverage |
| Impact | T1486 | Data Encrypted for Impact | DragonForce ransomware deployed against ESXi hosts |
| Impact | T1490 | Inhibit System Recovery | Targeting/encrypting accessible backups to prevent restoration |
Recovery Challenges After Identity Compromise
Recovering from this style of attack is far more complex than simply restoring from a tape backup, especially for an organization of M&S’s scale. Once the password hashes for the entire domain have been exfiltrated, the organization’s entire identity infrastructure must be considered compromised:
- Domain controllers and service accounts can no longer be trusted.
- Restoring a backup is not safe while the attacker may still have a foothold in the environment — doing so risks simply reintroducing the compromise.
- The realistic remediation path is to rebuild identity infrastructure from scratch: resetting every account, reimaging affected machines, and doing all of this while under significant operational and public pressure.
VMware ESXi has become a favorite ransomware target precisely because compromising the hypervisor is so effective — attackers are now customizing ransomware tooling specifically for ESXi. The impact is not the loss of individual files, but the loss of entire virtual machines supporting whole categories of business operations.
A further complication: if backups are accessible from the compromised network and are not properly isolated, attackers can encrypt or destroy those backups as well, cutting off the victim’s recovery path entirely. In observed cases, threat actors have been known to:
- Locate and physically destroy on-site backup copies.
- Compromise cloud/backup provider API credentials to wipe or corrupt online/offline-replicated backups as well.
This underscores the importance of maintaining a genuinely isolated, offline or air-gapped physical backup copy that is unreachable from the production network under any circumstance.
Regulatory Obligations Under UK GDPR
Because the incident involved personal data, M&S faces the same regulatory obligations any UK organization would face under GDPR:
- Notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a breach involving personal data.
- Inform affected customers directly if the breach poses a risk to their rights and freedoms.
The timing and precise wording of these breach communications matter significantly — errors or delays in notification can lead to substantial regulatory fines and additional legal exposure on top of the direct costs of the incident itself.
Wider Retail Sector Targeting: Co-op and Harrods
Around the same period, other UK retailers — including Co-op and Harrods — also disclosed cyberattacks. At the time of recording it was not yet confirmed whether these incidents were connected to the M&S attack or to each other, or whether ransomware was even involved in all cases. Regardless of direct linkage, the pattern is notable: retailers are clearly a high-value target for attackers right now.
Retailers are an attractive target because they concentrate several high-value data and operational assets in one place:
- Payment card and transaction data
- Personal customer data
- Logistics and supply chain systems
This mirrors a broader pattern observed in 2024, when there was a wave of attacks against edge-facing devices across many industries. It remains an open question whether these retail incidents share a common exploited vulnerability (such as an unpatched zero-day in a system widely used by retailers), or whether they simply reflect the same threat actors applying a proven social-engineering-plus-ransomware playbook against a sector that is highly exposed due to:
- Rapid expansion of digital/omnichannel operations increasing the overall attack surface.
- Deep interconnection between IT and operational/point-of-sale systems.
- Downtime being immediately, publicly visible — giving attackers additional extortion leverage, since disruption alone (independent of any data leak) damages the brand and revenue.
Defensive Recommendations
Drawing on the lessons from the M&S incident and its predecessors at MGM and Caesars, the following defensive priorities are recommended for any organization, but especially for retailers and other consumer-facing businesses with large, interconnected environments:
mindmap
root((Defend Against Scattered-Spider-Style Ransomware))
Identity and Access Management
Zero-trust approach to IAM
Robust multi-factor authentication
Secure MFA reset workflows
Help desk identity verification via multiple channels
Step-up authentication for privileged/sensitive actions
Network Segmentation
Avoid flat networks
Segment ESXi hosts and identity infrastructure
Enforce internal firewalls / zero-trust network access
Incident Response Readiness
Tested IR and disaster recovery plans
Tabletop exercises and red team drills
Documentation usable by an average employee
Practice to build response muscle memory
Backup Resilience
Immutable backups
Air-gapped or isolated backup copies
Regular recovery drills
Verify restores do not reintroduce malware
Organizational Culture
Patch systems, but do not stop there
Harden people and processes, not just technology
Assume any digital-presence brand is a target
| Recommendation Area | Specific Action | Why It Matters |
|---|---|---|
| Identity & Access Management | Enforce zero-trust IAM and robust MFA | Prevents attackers from relying solely on a single reused/harvested credential |
| Help Desk Procedures | Require multi-channel identity verification before any MFA reset | Directly counters the SIM-swap / help-desk impersonation tactic used by Scattered Spider |
| Privileged Access | Require step-up authentication for sensitive administrative actions | Limits blast radius even if a standard account is compromised |
| Network Architecture | Segment critical systems (ESXi hosts, identity infrastructure) away from general user traffic | Slows or blocks lateral movement even after initial access |
| Network Controls | Deploy internal firewalls / zero-trust network access (ZTNA) | Reduces the effectiveness of “flat network” lateral movement |
| Incident Response | Run tabletop exercises and red team drills regularly | Builds the muscle memory needed to respond quickly under real pressure |
| Documentation | Write IR runbooks so a typical employee could follow them | Ensures response is not bottlenecked on a small number of experts |
| Backup Strategy | Maintain immutable, air-gapped/offline backup copies | Prevents attackers from encrypting or destroying the organization’s last resort for recovery |
| Backup Validation | Regularly test restores | Confirms backups actually work and do not reintroduce attacker malware |
| Strategic Posture | Treat identity compromise as equivalent to full domain compromise | Drives faster, more realistic recovery decisions (rebuild vs. simple restore) |
Summary
The Marks & Spencer incident is a textbook example of how modern ransomware operations succeed by targeting identity infrastructure and virtualization hosts rather than individual endpoints. The attackers, attributed to the Scattered Spider collective, combined social-engineering-driven credential access with a full Active Directory database exfiltration, giving them the ability to move laterally undetected before deploying the DragonForce ransomware directly against VMware ESXi hosts. Because so much business-critical infrastructure was virtualized on those hosts, the resulting encryption event caused widespread, customer-visible disruption to click-and-collect, online ordering, and in-store systems, and translated into a loss of more than £700 million in market capitalization along with a full suspension of the e-commerce business.
This incident, and its clear parallels to the 2023 MGM and Caesars attacks, reinforces several durable lessons:
- Identity compromise is total compromise. Once a domain’s credential material is exfiltrated, every account and every domain controller must be treated as untrustworthy, and recovery means rebuilding identity from scratch — not simply restoring a backup.
- Hypervisors are a single point of failure. Ransomware operators increasingly target ESXi and other hypervisor platforms directly because doing so multiplies the impact of a single encryption event across entire fleets of virtual machines.
- Double extortion is now standard. Attackers exfiltrate data before encrypting, so paying (or refusing to pay) a ransom no longer guarantees the absence of a data leak.
- Backups must be genuinely isolated. Backups reachable from the compromised network are routinely targeted and destroyed or encrypted by attackers as part of the same campaign.
- Regulatory timelines add pressure. UK GDPR’s 72-hour ICO notification requirement means breach communications must be prepared accurately and quickly, in parallel with technical containment.
- Retail is a high-value target sector. The concentration of payment data, personal data, and logistics systems — combined with highly visible customer-facing downtime — makes retailers especially attractive to groups like Scattered Spider.
Defensive Checklist
- Enforce zero-trust identity and access management with robust MFA everywhere.
- Require multi-channel identity verification for any help desk-initiated MFA or credential reset.
- Apply step-up authentication for privileged or sensitive administrative actions.
- Segment critical infrastructure (hypervisors, domain controllers, identity systems) away from general network traffic.
- Deploy internal firewalls or zero-trust network access to limit lateral movement.
- Maintain immutable, air-gapped, or otherwise isolated offline backups that cannot be reached or altered from the production network.
- Regularly test backup restoration to confirm integrity and confirm restores do not reintroduce attacker malware.
- Run tabletop exercises and red team drills on a recurring basis, not just as a one-time compliance exercise.
- Write incident response documentation clear enough for a non-specialist employee to execute.
- Treat any confirmed Active Directory/credential exfiltration as a full identity compromise requiring a ground-up rebuild, not a simple restore.
- Prepare breach notification processes in advance so regulatory deadlines (e.g., GDPR’s 72-hour ICO notification) can be met accurately under pressure.
Search Terms
hot · takes · inside · microsoft · ransomware · attack · security · threat · intel · networking · systems · compromise · defensive · scattered · spider · targeting