In this episode, we dive into the May 2025 ransomware attack on Belk, the iconic U.S. department store chain, orchestrated by the DragonForce ransomware group—a fast-rising player in the ransomware-as-a-service (RaaS) ecosystem. The cyberattack brought down Belk’s online and in-store operations for days, exfiltrated over 156GB of sensitive data, and sparked legal action following the delayed breach disclosure. With customer names and Social Security numbers compromised and leaked, the impact has rippled far beyond Belk’s systems.
We examine how this attack fits into a broader RaaS-fueled campaign against the retail sector, including recent incidents at Marks & Spencer, Co-op Group, and Harrods. DragonForce, leveraging a model built on affiliate partnerships and rebranded ransomware payloads, is lowering the barrier to entry for cybercriminals—enabling less sophisticated actors to inflict enterprise-level damage.
This episode covers:
- The attack timeline and operational disruption across Belk’s digital and physical storefronts
- What DragonForce stole—and why their leak site appearance suggests Belk didn’t pay the ransom
- The role of RaaS in expanding ransomware’s reach, making powerful attack infrastructure available to anyone with money and motive
- How DragonForce affiliates, including those tied to Scattered Spider, are combining social engineering, credential theft, and advanced TTPs to bypass defenses
- Why retail chains are increasingly at risk—and how many still underestimate the severity of the threat
- Key defensive takeaways: from phishing-resistant MFA to Active Directory hardening, breach simulation exercises, and incident response planning
The Belk breach illustrates the evolving nature of ransomware, where supply chain access, insider tricks, and layered obfuscation tactics are the norm—not the exception. As regulatory scrutiny rises and ransomware groups professionalize, retailers and mid-market enterprises must reframe security not as an IT task, but as a business continuity imperative.
