Ransomware cyber

M&S

Jul 9, 2025 1 min read
M&S

M&S experienced a ransomware attack carried out by DragonForce, a group believed to be based in Asia or Russia. The attack involved social engineering, where the attacker impersonated an M&S worker and tricked a third party into resetting an employee's password. The attackers threatened to leak and encrypted acquired data, including names, birth dates, addresses, phone numbers, household information, and order histories. About 150GB of data was stolen before M&S shut down systems to prevent further spread, leading to delivery disruptions. Recovery efforts are ongoing, with full recovery expected by October or November 2025.

Source: https://www.techradar.com/pro/security/m-and-s-thinks-it-might-finally-know-what-caused-cyberattack-but-still-wont-say-if-it-paid-a-ransom

TPRM report: https://scoringcyber.rankiteo.com/company/marks-and-spencer

"id": "mar558070925",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Retail',
                        'location': 'UK',
                        'name': 'M&S',
                        'type': 'Retail'}],
 'attack_vector': ['Social Engineering', 'Phishing'],
 'data_breach': {'data_encryption': True,
                 'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'Medium to High',
                 'type_of_data_compromised': ['Personal Information',
                                              'Order Histories']},
 'description': 'M&S experienced a ransomware attack attributed to '
                'DragonForce, involving social engineering and double '
                'extortion.',
 'impact': {'data_compromised': ['Names',
                                 'Birth Dates',
                                 'Addresses',
                                 'Phone Numbers',
                                 'Household Information',
                                 'Order Histories'],
            'operational_impact': ['Delivery Disruptions']},
 'initial_access_broker': {'entry_point': 'Social Engineering'},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial Gain',
 'post_incident_analysis': {'root_causes': ['Social Engineering',
                                            'Password Reset Mechanism']},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': 'DragonForce'},
 'recommendations': ['Greater transparency and cyberattack reporting'],
 'references': [{'source': 'Reuters'}],
 'response': {'communication_strategy': ['Calling for greater transparency and '
                                         'cyberattack reporting'],
              'containment_measures': ['Shut down systems to prevent further '
                                       'spread'],
              'law_enforcement_notified': True,
              'recovery_measures': ['Recovery efforts ongoing',
                                    'Full recovery expected by October or '
                                    'November 2025'],
              'third_party_assistance': ['Tata Consultancy Services']},
 'threat_actor': 'DragonForce',
 'title': 'M&S Ransomware Attack by DragonForce',
 'type': 'Ransomware',
 'vulnerability_exploited': 'Password Reset Mechanism'}
Published by
Jeremy C
Jeremy C
You might also like
Ransomware cyber

Intel

public 1 min read
The Iranian ransomware-as-a-service operation, Pay2Key.I2P, reemerged after a five-year hiatus, targeting organizations in the US and Israel. The group,…
Jeremy C Jeremy C
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.