Marks & Spencer

British retailer giant Marks & Spencer (M&S) was breached in an April ransomware attack where a DragonForce encryptor was used to encrypt virtual machines on VMware ESXi hosts, forcing M&S to stop accepting online orders and leading to a significant impact on business operations at its 1,400 stores.

Source: https://www.bleepingcomputer.com/news/security/uk-to-ban-public-sector-orgs-from-paying-ransomware-gangs/

TPRM report: https://scoringcyber.rankiteo.com/company/marks-and-spencer

"id": "mar956072325",
"linkid": "marks-and-spencer",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"

{'affected_entities': [{'industry': 'Healthcare',
                        'location': 'UK',
                        'name': 'NHS',
                        'type': 'Publicly funded healthcare service'},
                       {'industry': 'Education',
                        'location': 'UK',
                        'name': 'British Library',
                        'type': 'National library'},
                       {'industry': 'Retail',
                        'location': 'UK',
                        'name': 'Marks & Spencer',
                        'size': '1,400 stores',
                        'type': 'Retailer'},
                       {'customers_affected': 'Data from many current and '
                                              'former members',
                        'industry': 'Retail',
                        'location': 'UK',
                        'name': 'Co-op',
                        'type': 'Retailer'},
                       {'industry': 'Retail',
                        'location': 'UK',
                        'name': 'Harrods',
                        'type': 'Retailer'}],
 'attack_vector': 'Ransomware',
 'description': 'The UK government is proposing legislation to ban public '
                'sector and critical infrastructure organizations from paying '
                'ransoms after ransomware attacks. This includes local '
                'councils, schools, and the NHS. The ban aims to disrupt the '
                'business model of cybercriminals and reduce the '
                'attractiveness of these organizations as targets. '
                'Additionally, businesses not covered by the ban will be '
                'required to notify the government if they intend to make a '
                'ransom payment, and a mandatory reporting system is being '
                'developed.',
 'impact': {'downtime': 'Significant impact on business operations at M&S '
                        'stores',
            'financial_loss': 'Millions of pounds each year',
            'operational_impact': ['Stopped accepting online orders',
                                   'Restricted internet access'],
            'systems_affected': ['Local councils',
                                 'Schools',
                                 'NHS',
                                 'British Library',
                                 'Marks & Spencer',
                                 'Co-op',
                                 'Harrods']},
 'motivation': 'Financial gain',
 'ransomware': {'data_encryption': 'Virtual machines on VMware ESXi hosts',
                'ransomware_strain': ['DragonForce']},
 'references': [{'source': 'BleepingComputer'}],
 'response': {'law_enforcement_notified': True},
 'threat_actor': ['Cybercriminal groups', 'Many based in Russia'],
 'title': 'UK Government Plans to Ban Ransom Payments for Public Sector and '
          'Critical Infrastructure',
 'type': 'Ransomware'}