Ransomware cyber

Marks & Spencer

Sep 2, 2025 3 min read
Marks & Spencer

Marks & Spencer (M&S), a prominent UK retailer, fell victim to a coordinated ransomware attack linked to the **DragonForce** cartel and its affiliate **Scattered Spider**. The incident involved the deployment of DragonForce-built ransomware, leveraging Conti’s leaked source code with advanced encryption (ChaCha20 + RSA) and network-spreading capabilities via SMB. The attack targeted both local and shared network storage, with operators threatening to **delete decryptors and leak stolen data** if ransom demands were unmet by deadlines (September 2 and 22).The breach disrupted M&S’s operations, risking **customer data exposure**, financial fraud, and reputational damage due to media coverage. DragonForce’s cartel model—recruiting affiliates like Devman and Scattered Spider—amplified the attack’s sophistication, combining initial access tactics with aggressive data exfiltration. While the full scope of compromised data (e.g., payment details, personal records) remains undisclosed, the incident aligns with DragonForce’s pattern of **high-impact extortion**, including threats to publish sensitive information. The attack underscores the escalating risks posed by ransomware-as-a-service (RaaS) ecosystems, where collaborative cybercriminal groups exploit enterprise vulnerabilities for maximal disruption and profit.

Source: https://www.infosecurity-magazine.com/news/dragonforce-cartel-conti-derived/

TPRM report: https://www.rankiteo.com/company/marks-and-spencer

"id": "mar1193411110425",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'retail',
                        'location': 'United Kingdom',
                        'name': 'Marks & Spencer',
                        'type': 'retailer'},
                       {'name': 'BlackLock (rival ransomware group)',
                        'type': 'cybercriminal group'},
                       {'name': 'Ransomhub (rival ransomware group)',
                        'type': 'cybercriminal group'}],
 'attack_vector': ['SMB (Server Message Block) exploitation',
                   'lateral movement via network shares',
                   'recruitment of affiliates for branded variants',
                   'partnerships with initial access brokers (e.g., Scattered '
                   'Spider)'],
 'data_breach': {'data_encryption': ['ChaCha20 + RSA per-file encryption',
                                     '10-byte metadata block (encodes mode, '
                                     'percentage, size)',
                                     'supports full (0x24), partial (0x25), '
                                     'and header-only (0x26) modes'],
                 'data_exfiltration': ['threatened (e.g., leaks scheduled for '
                                       'September 2 and 22)']},
 'description': 'A new ransomware operation, DragonForce, built on Conti’s '
                'leaked source code, has surfaced with cartel-like ambitions '
                'in the cybercrime ecosystem. The group retains Conti’s core '
                'encryption behavior and network-spreading capabilities, '
                'conducting coordinated attacks and recruiting affiliates via '
                'a shared platform. DragonForce has shifted from a '
                'ransomware-as-a-service (RaaS) model to a self-styled cartel '
                'structure, encouraging affiliates to create branded variants. '
                'Recent campaigns include threats to delete decryptors and '
                'leak data on September 2 and September 22, 2024. The '
                'ransomware encrypts local storage and network shares via SMB, '
                'using ChaCha20 and RSA encryption with unique per-file keys '
                'and a 10-byte metadata block. Affiliates like Devman and '
                'partnerships with groups like Scattered Spider (linked to '
                'BlackCat, Ransomhub, and Qilin) highlight its expanding '
                'influence. Aggressive tactics include defacing rival leak '
                'sites (e.g., BlackLock) and attempting server takeovers '
                '(e.g., Ransomhub).',
 'impact': {'brand_reputation_impact': ['potential reputational damage to '
                                        'affected entities (e.g., Marks & '
                                        'Spencer)',
                                        'undermining trust in rival ransomware '
                                        'groups'],
            'operational_impact': ['encryption of files',
                                   'potential data leaks (threatened for '
                                   'September 2 and 22)',
                                   'disruption of rival ransomware operations '
                                   '(e.g., BlackLock, Ransomhub)'],
            'systems_affected': ['local storage', 'network shares via SMB']},
 'initial_access_broker': {'high_value_targets': ['enterprise environments',
                                                  'retailers (e.g., Marks & '
                                                  'Spencer)',
                                                  'rival ransomware groups '
                                                  '(e.g., BlackLock, '
                                                  'Ransomhub)']},
 'investigation_status': 'ongoing (as of latest reports)',
 'lessons_learned': ['Ransomware groups are evolving into cartel-like '
                     'structures to consolidate power and resources.',
                     'Affiliate recruitment and branded variants increase the '
                     'scale and complexity of attacks.',
                     'Partnerships with initial access brokers (e.g., '
                     'Scattered Spider) amplify threat capabilities.',
                     'Aggressive tactics (e.g., defacing rival leak sites) '
                     'disrupt the cybercriminal ecosystem.',
                     'Legacy ransomware code (e.g., Conti) continues to fuel '
                     'new operations.'],
 'motivation': ['financial gain',
                'dominance in ransomware ecosystem',
                'recruitment of affiliates',
                'disruption of rival groups'],
 'post_incident_analysis': {'root_causes': ['Exploitation of Conti’s leaked '
                                            'source code for new ransomware '
                                            'development.',
                                            'Leveraging affiliate networks to '
                                            'scale attacks (e.g., Devman, '
                                            'Scattered Spider).',
                                            'Use of SMB for lateral movement '
                                            'and network-wide encryption.',
                                            'Cartel-like coordination to '
                                            'dominate the ransomware '
                                            'ecosystem.']},
 'ransomware': {'data_encryption': ['ChaCha20 + RSA',
                                    'unique key per file',
                                    'metadata block with encryption details'],
                'data_exfiltration': ['threatened (e.g., leaks scheduled for '
                                      'September 2 and 22)'],
                'ransomware_strain': ['DragonForce (derived from Conti’s '
                                      'leaked source code)',
                                      'Devman (affiliate variant)',
                                      'Mamona (earlier variant used by '
                                      'Devman)']},
 'recommendations': ['Implement robust backup practices to mitigate encryption '
                     'impacts.',
                     'Restrict lateral movement via network segmentation.',
                     'Monitor for unusual access to shared resources (e.g., '
                     'SMB).',
                     'Apply consistent patching and endpoint protection.',
                     'Conduct user awareness training to prevent initial '
                     'access exploits.',
                     'Defend against affiliate-based attacks by tracking '
                     'emerging ransomware strains.'],
 'references': [{'source': 'Acronis Threat Research Unit (TRU)'},
                {'source': 'BleepingComputer or similar cybersecurity news '
                           'outlet (implied)'}],
 'response': {'enhanced_monitoring': ['recommended for unusual access to '
                                      'shared resources'],
              'network_segmentation': ['recommended as a defense measure']},
 'threat_actor': ['DragonForce',
                  'Devman (affiliate)',
                  'Scattered Spider (partner)'],
 'title': 'DragonForce Ransomware Cartel Emerges from Conti’s Leaked Source '
          'Code',
 'type': ['ransomware',
          'cartel-style cybercrime operation',
          'affiliate-based attack']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.