- Marks & Spencer suffered a cyber-incident earlier in April
- The media are saying the attack was the work of ScatteredSpider
- The retailer is still tackling the outage
The major cyber-incident at British Retailer Marks & Spencer, which has been ongoing for more than a week now, seems to be the work of Scattered Spider, an infamous and slippery threat actor. The news was broken by BleepingComputer, citing “multiple sources” and claiming this was a ransomware attack. The company itself did not want to comment on the information, though.
In late April, news broke of a “cyber incident” that affected M&S stores for “days” and resulted in “small changes” to store operations. The company also confirmed Click and Collect services were impacted, and that some stores were unable to process contactless payments.
A few days later, the company said it had to take some systems and processes offline, and that Click and Collect services had to be paused in all stores. Online orders were halted as a result, as well.
Old actors or new copycats?
The retailer said in a statement that in order to protect colleagues, partners, suppliers, and the business, it “made the proactive decision to move some [of our] processes offline”. There were no confirmations that this was a ransomware attack, although it all pointed to that being the case.
Now, BleepingComputer says that this was, in fact, a ransomware attack, conducted by none other than Scattered Spider. This is not a state-sponsored threat actor, but rather a financially motivated collective. It usually targets companies in the west, such as tech firms, telcos, and those working in hospitality. The group breaks into networks through social engineering tactics and SIM-swapping.
In earlier years, it used to deploy the BlackCat/ALPHV ransomware variant, but since this group disbanded and disappeared, it pivoted to other solutions. In this case, the publication says it deployed the DragonForce encryptor to M&S’ VMware ESXi hosts on April 24, encrypting virtual machines. DragonForce has recently pivoted to a ‘cartel’ business model.
Multiple cybersecurity teams have been brought in to investigate and assist with mitigating the damage, including CrowdStrike, Microsoft, and Fenix24.
Via BleepingComputer
