Ransomware attack behind ongoing Marks & Spencer systems outage
British multinational retailer Marks & Spencer is dealing with ongoing systems outages caused by a ransomware attack, now attributed to the Scattered Spider threat group. The incident has disrupted operations since last week, affecting payment systems, online orders, and warehouse logistics. According to sources, the attack was severe enough to warrant the involvement of incident response firms CrowdStrike, Microsoft, and Fenix24.
Attack traced to NTDS.dit theft and ESXi encryption
Marks & Spencer reportedly first experienced unauthorized access as early as February 2025. During the intrusion, threat actors are believed to have exfiltrated the NTDS.dit file—a critical database for Windows Active Directory systems that contains password hashes. These can be cracked offline to reveal plain-text credentials, enabling lateral movement across the corporate network.
On April 24, the attackers deployed ransomware to encrypt VMware ESXi hosts using a variant known as DragonForce. This move led to significant service disruption, including reports of 200 warehouse workers being sent home.
Scattered Spider identified as likely perpetrator
The attackers behind this incident are believed to be part of the cybercrime group known as Scattered Spider, which Microsoft tracks under the name Octo Tempest. The group is known for sophisticated social engineering attacks, including SIM swapping, MFA bombing, and phishing against high-profile enterprises.
Scattered Spider operates more like a decentralized network of hackers than a unified gang. Its members range in age and skillset, often communicating and coordinating via forums, Telegram, and Discord. This structure allows them to quickly evolve tactics and remain hard to track.
DragonForce ransomware linked to recent activity
The ransomware used in the Marks & Spencer breach—DragonForce—has recently emerged as a service-based operation. Active since December 2023, DragonForce allows cybercriminals to white-label its tools and deploy them independently. Scattered Spider has previously acted as affiliates for other ransomware groups including RansomHub and Qilin.
Researchers tie attacks to Scattered Spider based on common tactics, such as credential harvesting, help desk impersonation, and abuse of SSO platforms. Silent Push recently published findings linking the group to several phishing campaigns targeting enterprise environments.
Law enforcement pressure continues
Authorities in the U.S., UK, and Spain have ramped up enforcement against members of Scattered Spider, leading to multiple arrests over the past two years. Despite this, the group continues to launch high-impact attacks, primarily targeting large businesses and cloud-hosted infrastructure.
Marks & Spencer declined to confirm further technical details of the breach but acknowledged it is working with experts to resolve the issue and minimize ongoing impact.
