HQ/EMEAFind out how we can help your business
Multiple reports from cybersecurity sources have traced ongoing disturbances at British retailer Marks & Spencer (M&S) to a ransomware attack allegedly carried out by the group known as Scattered Spider.
M&S, a multinational retailer with 64,000 employees, offers a variety of products, including clothing, food, and home goods, across more than 1,400 stores globally.
Earlier this week, M&S confirmed that it experienced a cyberattack, which caused significant disruptions, particularly affecting its contactless payment systems and online ordering services.
A report from a new outlet earlier this week indicates that the disruptions persist. Around 200 warehouse employees were instructed to remain home while the company managed the situation.
The Scattered Spider ransomware group may have encrypted the M&S servers.
Investigations recently confirmed that these ongoing issues stem from an alleged Scattered Spider ransomware attack that encrypted the company’s servers.
The attackers were thought to have first infiltrated M&S in February when they reportedly extracted the NTDS.dit file from the Windows domain.
This file serves as the primary database for Active Directory Services on a Windows domain controller. It contains password hashes for Windows accounts that hackers can potentially extract and decode offline to obtain plaintext passwords.
With these credentials, a hacker can navigate laterally throughout the Windows domain, accessing and stealing data from various network devices and servers.
Sources informed cybersecurity researchers that the attackers deployed the DragonForce encryptor on VMware ESXi hosts on April 24th, targeting the encryption of virtual machines.
Furthermore, analysts also revealed that Marks & Spencer has sought assistance from external security providers and Microsoft to investigate and address the situation.
The preliminary findings reveal that hackers are responsible for the attack, utilising tactics commonly employed by the Scattered Spider group.
Scattered Spider, also known by various names like 0ktapus, Starfraud, UNC3944, Scatter Swine, and Octo Tempest, encompasses threat actors skilled in social engineering, phishing, multi-factor authentication (MFA) fatigue attacks, and SIM swapping to achieve initial access to large organisations’ networks.
Potentially impacted parties should be wary and knowledgeable about these threats, as the purported threat group could execute targeted attacks using compromised data.
