Ransomware cyber

Marks and Spencer

Jul 12, 2025 2 min read
Marks and Spencer

A damaging cyber-attack on retailer Marks and Spencer in the UK in April last year has caused a great loss in revenues, with a £300 million ($403 million) operating profit loss, as its online business was taken offline for seven weeks, and is being rebuilt in stages with the process not yet complete 14 months later. The attack was enabled by a DragonForce ransomware group hacker impersonating an employee, reportedly at M&S contractor Tata Consultancy Services, and gaining unauthorized system access via the M&S help desk. Reports indicate the breach began as early as February 2024, when hackers stole the Windows domain’s NTDS.dit file, containing password hashes for domain users. By cracking these hashes, they accessed the network and deployed ransomware to encrypt virtual machines, disrupting services like contactless payments, click-and-collect, and online ordering.

Source: https://blocksandfiles.com/2025/07/11/employees-prefer-to-keep-quiet-when-hit-by-cyberattack/

TPRM report: https://scoringcyber.rankiteo.com/company/marks-and-spencer

"id": "mar847071225",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Retail',
                        'location': 'UK',
                        'name': 'Marks and Spencer',
                        'type': 'Retailer'}],
 'attack_vector': 'Phishing, Impersonation',
 'date_detected': 'February 2024',
 'description': 'A ransomware attack on retailer Marks and Spencer in the UK '
                'in April last year caused a significant loss in revenues, '
                'with a £300 million ($403 million) operating profit loss, as '
                'its online business was taken offline for seven weeks.',
 'impact': {'downtime': 'Seven weeks',
            'financial_loss': '£300 million ($403 million)',
            'operational_impact': 'Online business taken offline',
            'revenue_loss': '£300 million ($403 million)',
            'systems_affected': ['Virtual machines',
                                 'Contactless payments',
                                 'Click-and-collect',
                                 'Online ordering']},
 'initial_access_broker': {'entry_point': 'Help desk'},
 'lessons_learned': 'Employees should be trained to recognize and report cyber '
                    'threats promptly. Organizations should foster a culture '
                    'of transparent and timely communication of cyber threats.',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'corrective_actions': 'Improve employee training '
                                                  'and foster a culture of '
                                                  'transparent communication',
                            'root_causes': 'Employee impersonation and '
                                           'unauthorized system access'},
 'ransomware': {'data_encryption': 'Virtual machines encrypted',
                'ransomware_strain': 'DragonForce'},
 'recommendations': 'Implement training and attack simulation training to help '
                    'employees recognize and respond to cyber threats '
                    'appropriately.',
 'references': [{'source': 'Cohesity Survey'}],
 'threat_actor': 'DragonForce ransomware group',
 'title': 'Cyber Attack on Marks and Spencer',
 'type': 'Ransomware',
 'vulnerability_exploited': 'Unauthorized system access via help desk'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.