Marks & Spencer Ransomware Attack Linked to Scattered Spider
A recent ransomware attack on British retail giant Marks & Spencer (M&S) has been linked to the notorious threat actor group Scattered Spider, according to sources close to the investigation. The attack, which was first reported on Tuesday, has caused widespread disruption to the company’s operations, including its contactless payment system and online ordering.
M&S, a British multinational retailer with over 1,400 stores worldwide and 64,000 employees, confirmed the cyberattack last Tuesday. The company has been working with cybersecurity experts to investigate and respond to the attack. According to BleepingComputer, the ransomware attack encrypted the company’s servers, causing ongoing outages.
The threat actors, believed to be associated with Scattered Spider, are thought to have first breached M&S as early as February, when they reportedly stole the Windows domain’s NTDS.dit file. This file contains the password hashes for Windows accounts, which can be extracted by threat actors and cracked offline to gain access to associated plain-text passwords. BleepingComputer sources revealed that the threat actors used these credentials to laterally spread throughout the Windows domain, stealing data from network devices and servers.
The investigation, which has involved the help of CrowdStrike, Microsoft, and Fenix24, suggests that the threat actors deployed the DragonForce encryptor to VMware ESXi hosts on April 24th to encrypt virtual machines. BleepingComputer has learned that the attack is believed to be the work of Scattered Spider, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra.
Scattered Spider is a classification of threat actors that are adept at using social engineering attacks, phishing, multi-factor authentication (MFA) bombing, and SIM swapping to gain initial network access on large organizations. These threat actors, who include young English-speaking people with diverse skill sets, frequent the same hacker forums, Telegram channels, and Discord servers to plan and conduct attacks in real-time.
As BleepingComputer reported, Scattered Spider has been linked to several high-profile attacks in recent months, including the breach of MGM Resorts in September 2023. The group has been known to act as affiliates for various ransomware operations, including RansomHub, Qilin, and now, DragonForce.
Cybersecurity experts have been working to track Scattered Spider’s activities, but the group’s loose network of threat actors makes it difficult to monitor their actions. BleepingComputer was told that law enforcement has been increasingly targeting these threat actors, arresting people in the US, the UK, and Spain.
In response to the attack, M&S has said that they cannot go into details about the cyber incident. However, BleepingComputer has confirmed that the company is working closely with cybersecurity experts to investigate and respond to the attack.
The incident highlights the growing threat of ransomware attacks on large organizations and the need for robust cybersecurity measures to prevent such breaches. As the investigation continues, BleepingComputer will provide updates on the developing story.
According to BleepingComputer, the incident serves as a reminder of the importance of staying vigilant in the face of evolving cyber threats. The publication notes that Scattered Spider’s tactics, including social engineering attacks and phishing, are becoming increasingly sophisticated, making it essential for organizations to stay ahead of the threat.
The ransomware attack on M&S is a significant reminder of the potential consequences of a cyber breach. As BleepingComputer reports, the attack has caused significant disruption to the company’s operations, highlighting the need for organizations to prioritize cybersecurity and have incident response plans in place.
In conclusion, the ransomware attack on Marks & Spencer, linked to Scattered Spider, serves as a stark reminder of the evolving cyber threat landscape. As BleepingComputer continues to investigate the incident, it is clear that organizations must remain vigilant and take proactive measures to protect themselves against the growing threat of ransomware attacks.
