Weeks-long payment outages disrupting operations at British retail giant Marks & Spencer (M&S) are now being blamed on Scattered Spider, the same ransomware group said to be responsible for the 2023 hack of the MGM Grand in Las Vegas.
New information has surfaced on Tuesday linking the infamous Scattered Spider ransomware group to the devastating “cyber incident” causing chaos for the London-based retailer since Easter weekend, according to a report by Bleeping Computer.
Apparently, the threat actors have been freely lurking inside M&S systems since February after gaining access to a main database file for Active Directory Services containing “password hashes for Windows accounts,” the tech outlet reported, after speaking with “multiple sources.”
Marks & Spencer, which first alerted the UK’s National Cyber Security Centre (NCSC) on April 21st, has been forced to take its payment systems offline at over 1,000 stores across the UK, cancel thousands of clothing and home goods online orders, and as of Monday, told its warehouse staff to stay home until further notice.
On Tuesday, the "world's most sustainable retailer" also revealed some M&S food stores were experiencing shortages of certain items due to systems being "proactively" taken offline.
"As a result, we currently have pockets of limited availability in some stores. We are working hard to get availability back to normal across the estate," an M&S spokesperson said.
An update from M&S pic.twitter.com/PSbIGHJtMY
undefined M&S (@marksandspencer) April 25, 2025
By extracting the system’s Windows domain's NTDS.dit file, the threat actors were able to extract the hashed passwords and, using password-cracking tools, gain access to the associated plaintext passwords, Bleeping Computer said.
After infiltrating the system, Scattered Spider was then said to have encrypted M&S servers using a ransomware variant from DragonForce, another threat actor selling its “white label” services to fellow Ransomware-as-a-Service (RaaS) affiliates.
DragonForce, a ransomware group that has been stepping up its operations since establishing itself in August 2023, developed its customizable variant utilizing both LockBit3.0 and ContiV3, according to an in-depth GroupIB profile from September 2024.
Said to originate from Malaysia, DragonForce “affiliates can create customized ransomware samples, including disabling security features, setting encryption parameters, and personalizing ransom notes,” IB Group states.
Scattered Spider spins its web
Meanwhile, ScatteredSpider, infamous for its cybercriminal partnership with the now-defunct ALPHV/BlackCat gang and their hack of Las Vegas’ MGM Resorts International and Caesars Entertainment in fall 2023, is known for using highly effective phishing techniques to target its victims.
Labeled by Google's Mandiant as one of the most disruptive hacking outfits in the United States back then, Caesars was reported to have paid Scattered Spider a $15 million ransom demand to keep its operation going in the wake of the attack, as opposed to MGM which refused to pay, and was subsequently paralyzed for weeks.
The Scattered Spider hacker gang – also known in the industry as Roasted 0ktapus, UNC3944, or Storm-0875 – is believed to be made up of individuals based in both the US and the UK and is known for SMS phishing, SIM swapping, and MFA fatigue attacks.
“Their social engineering techniques are very sophisticated, and they are known for voice phishing help desks, call centers, and even security operations centers (SOCs) to gain initial access,” cybersecurity expert Steven Erwin told Cybernews at the time.
The group, around since 2022, is known for its high-profile campaigns targeting hundreds of companies over the years, primarily in the financial services sector, including notable names such as Snowflake, Visa, DoorDash, Riot Games, LastPass, Twilio, and others.
In late 2004, the US Department of Justice indicted five suspected members of Scattered Spider in connection with the MGM cyberattacks, including four Americans and one from the UK, all men between the ages of 20 and 25 years. A 22-year-old UK national, thought to be a key member of the group, was also arrested in Spain earlier that June.
Cybersecurity experts from CrowdStrike, Microsoft, and Fenix24 have been reportedly called in to help marks & Spencer to investigate and mitigate the damage.
Established in 1884, the food, beauty, clothing, and home goods behemoth serves millions of customers worldwide. The company employs approximately 75,000 workers and, in 2024, reported annual revenue of £13 million.
Marks & Spencer brands include Autograph, Blue Harbour, Boutique, Goodmove, Jaeger, M&S Collection, Per Una, Rosie, as well as M&S Bank, which provides financial services such as credit cards, savings, and insurance.
Your email address will not be published. Required fields are markedmarked