- Severity
- critical
- Records
- Unknown
- Vector
- Social Engineering — vishing to third-party service desk for password reset
- Organization
- Marks & Spencer
- Incident Date
- 2025-02-01
Executive summary
British retail giant Marks & Spencer (M&S) suffered a devastating ransomware attack in April 2025 when threat actors from Scattered Spider social-engineered a third-party service desk into resetting an employee password. The attackers exfiltrated the Active Directory database, deployed DragonForce ransomware across VMware infrastructure, and forced M&S to suspend online sales for 46 days—causing an estimated £300 million ($400 million) in lost profit.
Incident overview
| Attribute | Details |
|---|
| Victim organization | Marks & Spencer plc |
| Industry | Retail |
| Headquarters | London, United Kingdom |
| Employees | 64,000+ |
| Attack start | February 2025 (initial access) |
| Ransomware deployment | April 24, 2025 |
| Online sales restored | June 10, 2025 |
| Downtime | 46 days |
| Financial impact | £300 million (~$400 million) lost profit |
| Stock impact | £500 million+ market cap loss |
| Threat actors | Scattered Spider, DragonForce |
Timeline
| Date | Event |
|---|
| February 2025 | Initial breach; NTDS.dit file stolen |
| April 19-21, 2025 | Easter Weekend - In-store payment glitches begin |
| April 23, 2025 | CEO Stuart Machin receives ransom message via employee email |
| April 24, 2025 | DragonForce ransomware deployed on VMware ESXi hosts |
| April 25, 2025 | M&S suspends online shopping |
| April 29, 2025 | M&S confirms cybersecurity incident |
| May 2, 2025 | Harrods and Co-op report similar attacks |
| May 13, 2025 | M&S confirms customer data was breached |
| June 10, 2025 | Online clothing orders resume after 46-day hiatus |
| July 2025 | Full online operations expected to resume |
Attack methodology
Stage 1: Social engineering
| Tactic | Details |
|---|
| Target | Third-party service desk |
| Method | Phone call impersonating M&S employee |
| Request | Password reset for employee account |
| Outcome | Attackers obtained valid credentials |
M&S Chairman Archie Norman confirmed:
“Attackers impersonated an M&S employee and called the service desk run by a third party, who carried out a password reset for them.”
Stage 2: Active Directory compromise
| Action | Impact |
|---|
| Credential use | Logged into M&S network |
| AD exploitation | Exfiltrated NTDS.dit file |
| NTDS.dit contents | All domain password hashes |
| Lateral movement | Full domain compromise |
The NTDS.dit file contains password hashes for all Active Directory accounts, enabling attackers to crack credentials offline and move laterally throughout the environment.
Stage 3: Ransomware deployment
| Target | Details |
|---|
| Platform | VMware ESXi hosts |
| Ransomware | DragonForce |
| Impact | Virtual machines encrypted |
| Systems affected | E-commerce, payments, logistics |
Business impact
Operational disruption
| System | Impact |
|---|
| Online shopping | Suspended 46 days |
| In-store payments | Contactless failures |
| Click & Collect | Service unavailable |
| Logistics | Fulfillment disrupted |
| Food supply | Some shortages reported |
Financial impact
| Metric | Amount |
|---|
| Lost profit | £300 million (~$400 million) |
| Daily online sales loss | £3.8 million (~$5.1 million) |
| Stock market cap loss | £500 million+ (~$668 million) |
| Recovery costs | Not disclosed |
Customer impact
| Effect | Details |
|---|
| Shopping disruption | Unable to order online |
| Payment failures | In-store contactless issues |
| Data exposure | Personal information confirmed breached |
| Click & Collect | Orders unfulfillable |
Data exposed
Confirmed breached
| Data type | Status |
|---|
| Customer names | Confirmed |
| Contact details | Confirmed |
| Dates of birth | Some customers |
| Order history | Likely |
Confirmed NOT breached
| Data type | Status |
|---|
| Payment card details | Not stored on M&S systems |
| Account passwords | Not compromised |
| Financial data | Protected |
M&S statement:
“Importantly, the data does not include useable payment or card details, which we do not hold on our systems, and it does not include any account passwords.”
Threat actor profiles
Scattered Spider
| Attribute | Details |
|---|
| Also known as | UNC3944, Octo Tempest, 0ktapus |
| Origin | Primarily US/UK English speakers |
| Tactics | Social engineering, SIM swapping, MFA bombing |
| Notable targets | MGM Resorts, Caesars, Twilio, Okta |
| Structure | Loosely organized collective |
Scattered Spider specializes in social engineering attacks against help desks and IT support, often impersonating employees to obtain password resets or MFA bypass.
DragonForce
| Attribute | Details |
|---|
| First observed | December 2023 |
| Model | Ransomware-as-a-Service (RaaS) |
| Recent development | White-label service for affiliates |
| Encryption | Targets VMware ESXi environments |
DragonForce has begun offering a white-label ransomware service, allowing affiliates like Scattered Spider to use their infrastructure and malware.
The M&S attack was part of a broader campaign against UK retailers:
| Target | Date | Threat actor |
|---|
| Marks & Spencer | April 2025 | Scattered Spider/DragonForce |
| Co-op | May 2025 | Similar tactics |
| Harrods | May 2025 | Similar tactics |
Security lessons
What failed
| Control | Gap |
|---|
| Service desk verification | Social engineering succeeded |
| Third-party security | Outsourced desk lacked rigor |
| AD monitoring | NTDS.dit theft not detected |
| Network segmentation | Lateral movement to ESXi hosts |
What should have been in place
| Control | Purpose |
|---|
| Callback verification | Verify password reset requests |
| Privileged access management | Limit AD admin access |
| AD monitoring | Alert on NTDS.dit access |
| Network segmentation | Isolate critical infrastructure |
Recommendations
For retail organizations
| Priority | Action |
|---|
| Critical | Implement callback verification for password resets |
| Critical | Monitor Active Directory for NTDS.dit access |
| High | Segment VMware infrastructure from corporate network |
| High | Deploy EDR on all ESXi hosts |
| Medium | Require video verification for high-risk requests |
For organizations using third-party service desks
| Priority | Action |
|---|
| Critical | Establish identity verification protocols |
| High | Audit third-party security practices |
| High | Require security awareness training |
| Medium | Implement tiered request verification |
For IT service desk teams
| Priority | Action |
|---|
| Critical | Never reset passwords based on phone requests alone |
| High | Use callback to known numbers for verification |
| High | Escalate unusual requests to security team |
| Medium | Document all verification steps taken |
Context
The M&S breach illustrates how sophisticated threat actors exploit the human element of security. Despite whatever technical controls M&S had in place, a single phone call to a third-party service desk bypassed them entirely.
Scattered Spider has refined social engineering to an art form. Their members—often young, native English speakers—can convincingly impersonate employees and manipulate help desk staff into providing access. The group’s success against MGM Resorts, Caesars, and now M&S demonstrates that social engineering remains one of the most effective attack vectors.
The £300 million business impact underscores the catastrophic potential of ransomware against retail operations. M&S’s 46-day online sales suspension during peak shopping season caused damage that will take years to fully recover from—both financially and reputationally.
For defenders, this incident reinforces that identity verification for password resets must be rigorous. Callback verification to known phone numbers, manager approval, and video verification for sensitive accounts are no longer optional luxuries—they’re essential controls against social engineering.
The involvement of DragonForce as the ransomware payload highlights the RaaS ecosystem’s evolution. Scattered Spider’s social engineering expertise combined with DragonForce’s encryption capabilities created a devastating attack that neither group could have executed alone.
