In early 2025, a coordinated ransomware campaign by the DragonForce group infiltrated Marks & Spencer’s IT environment, deploying its encryptor on VMware ESXi hosts that supported critical e-commerce and payment platforms. The attack forced M&S to suspend all online sales for five days while IT teams worked to restore encrypted virtual machines and sanitize systems. During this blackout, the retailer incurred estimated daily losses of £3.8 million from halted transactions and customer attrition. Investor confidence also took a hit, with the company’s market capitalization dropping by over £500 million as trading in M&S shares reflected concerns about operational resilience and surge protection. Although no customer data was exfiltrated, the incident exposed gaps in patch management and incident response processes. Post-incident assessments highlighted the need for stronger network segmentation, faster ransomware detection capabilities, and robust backup and recovery workflows. M&S has since accelerated its cybersecurity investment, deploying next-generation endpoint protection and multi-factor authentication across its cloud and on-premises infrastructure to mitigate future threats.
Source: https://cybersecuritynews.com/dragonforce-ransomware-hits-harrods-marks-and-spencer/
TPRM report: https://scoringcyber.rankiteo.com/company/marks-and-spencer
"id": "mar1041050625",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "5/2025",
"severity": "75",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Retail',
'name': 'Marks & Spencer',
'type': 'Retailer'}],
'attack_vector': 'Encryptor deployed on VMware ESXi hosts',
'data_breach': {'data_exfiltration': 'No customer data exfiltrated'},
'description': 'A coordinated ransomware campaign by the DragonForce group '
'infiltrated Marks & Spencer’s IT environment, deploying its '
'encryptor on VMware ESXi hosts that supported critical '
'e-commerce and payment platforms.',
'impact': {'brand_reputation_impact': 'Drop in market capitalization by over '
'£500 million',
'downtime': '5 days',
'financial_loss': '£3.8 million daily',
'operational_impact': 'Suspension of all online sales',
'revenue_loss': '£3.8 million daily',
'systems_affected': ['VMware ESXi hosts',
'e-commerce platforms',
'payment platforms']},
'initial_access_broker': {'high_value_targets': ['VMware ESXi hosts']},
'lessons_learned': ['Exposed gaps in patch management and incident response '
'processes',
'Need for stronger network segmentation',
'Faster ransomware detection capabilities',
'Robust backup and recovery workflows'],
'motivation': 'Financial',
'post_incident_analysis': {'corrective_actions': ['Accelerated cybersecurity '
'investment',
'Deployed next-generation '
'endpoint protection and '
'multi-factor '
'authentication across '
'cloud and on-premises '
'infrastructure']},
'ransomware': {'data_encryption': 'Encryptor deployed on VMware ESXi hosts',
'data_exfiltration': 'No customer data exfiltrated'},
'recommendations': ['Deploy next-generation endpoint protection',
'Implement multi-factor authentication'],
'response': {'enhanced_monitoring': 'Faster ransomware detection capabilities',
'network_segmentation': 'Need for stronger network segmentation',
'remediation_measures': ['Restore encrypted virtual machines',
'Sanitize systems']},
'threat_actor': 'DragonForce group',
'title': 'Ransomware Attack on Marks & Spencer',
'type': 'Ransomware'}