Full Report
There’s a piece in The Sunday Times today about the DragonForce ransomware incident at Marks and Spencer which caught my eye. It’s a great piece, e.g. it looks at M&S containing the threat to eradicate it.For example, the incident started at midnight, went straight to the CEO, and caused meetings every 3 hours all through the night. They made the decision to contain their systems to try to stop the threat actor causing more damage:“By shutting down parts of the IT estate, Higham’s team had worked to prevent the attack from spreading, but had also stopped parts of its digital operations from functioning. This was considered a worthy trade-off.”This is smart. There’s a bit more flavour here:And the piece here:Inside the M&S meltdown: 3am meetings and £40m a week in lossesThere’s one thing in the piece that caught my eye, saying experts say that because the disruption at M&S is continuing, it means they haven’t paid the ransom.This is wrong.I’ve been in the trenches dealing with ransomware and destructive attack incidents for over a decade now — in fact, this very blog of mine is the first major documentation of Locky enterprise automated ransomware spreading (“You, your endpoints and the Locky virus” and “The hard truth about ransomware: we aren’t prepared, it’s a battle with new rules, and it hasn’t near reached peak impact.” — for people who’ve been around for a long time), and I’ve spent that decade calling on both businesses and governments to take this problem seriously. Which is kind of like pissing in the wind, it turns out, as people can’t see a problem until it directly impacts them — see also, climate change.Paying the ransom is remarkably common. When I covered the Travelex ransomware attack years ago, they quietly paid early on — a fact only uncovered later on by the Wall Street Journal, which received no coverage because everybody had moved on from the story by then. Travelex tried saying the ransomware incident was a “technical issue” at first. It still took them months to recover, and the attack proved so costly they ended up having to restructure their business into Old Travelex and New Travelex.Travelex aren’t alone. When I covered the Capita ransomware, they paid quietly paid Black Basta early on. It took them months to recover. They too blamed “technical issues” on Microsoft 365, and I also had to uncover what had actually happened.Now we have Co-op Group — awkwardly, a former employer — telling staff of an “IT issue”. They haven’t informed me in writing they’ve lost my personal information, but I know they have. To Marks and Spencer’s credit, they’re saying it’s a cyber incident loudly. Radical transparency with customers is the best thing to do in situations where the threat actor is like ‘Raymond Reddington’ (the codename the DragonForce ransomware operator has chosen), by the way, as it can suck the oxygen away from the story, sets the narrative and customers are surprisingly understanding when you’re up front.There are many, many examples of organisations paying ransomwares and then taking months to fully restore operations. In fact, in my experience it’s the norm. You end up, quite often, ending up having to rebuilt Active Directory, an organisations key IT database. You end up having to do a compromise assessment. You end up a thousand other tasks; it is a nightmare.There is also an entire industry of legit companies who rewrite ransomware group ‘decryptor’ software, to fix bugs and make it work — this is how bad the engineering of the ransomware groups is. There’s many articles about this so I won’t rehash the details, but quite often the decryption software is incredibly slow, taking weeks to run at scale, and is full of bugs. Examples include crashing on certain file names, and then having no way to resume from the crash, requiring the process to start again.Paying a ransomware achieves two things:one, you have a chance to cover up the full extent of what happens so customers and regulators don’t know — this is why you have organisations who won’t admit ransomware or name the ransomware group. Almost all ransomware groups don’t list victim names on portals while negotiating, and never afterwards. As a counter weight to that, there’s a very good chance people like me will rumble you if it’s a major incident.Two, you directly fund organised crime, so threat actors can buy more resources, tools and exploits to reach inside more organisations.Both are, in my view, a race to the bottom. I don’t think organisations paying ransomware are making the smart play to protect shareholders — I think they’re actually aiming the car shareholders are in at a wall, and pressing the accelator, driven by bad advice.Paying the ransom means you’re still going to take serious time restoring operations — and instead of being a temporary blip, you can end up making a problem which runs for years and years. For example, years later, Capita are still dealing with the fallout from their ransomware incident with regulatory action looming — and all of their issues stem from lack of transparency and customer protection.Also paying the ransom means serious organised crime groups know you will pay. They will return. These groups talk to each other, and trade members. I’ve dealt with many organisations who have been repeatedly victim of different ransomware groups.For example, I dealt with one supplier who got hit with ransomware 4 different times by 4 different ransomware groups in 4 years. The ransomware groups in question were raking in hundreds of millions of US dollars each year in revenue, with almost no costs. This organisation did not have the money to defend against adversaries with the level of budget. They stopped paying the later ransoms as by that point they had invested in better backups, but they made themselves the target — last time I checked up on their financial position, their core business looked in doubt after those 4 years, from being a least cost service provider to potentially being bankrupt.One final point. The UK government have a cyber resiliency bill in motion at the moment, where one of the proposals that may very well make it through is mandatory reporting of ransomware incidents and payments to the UK government, and banning payments by Critical National Infrastructure. The endgame here, I suspect, is going to end up countries worldwide waking up and realising payment is fuelling the ransomware (and frankly cyber vendor) economy and, on balance, is too risky. I think the days of ‘just paying the ransom’ are numbered. And the days where you pay the ransom to get quick recovery never existed; that is a myth.Organisations need to have robust containment plans, which include things like built and tested levers for shutting down VPN connections and Citrix sessions, locking down who has administrator access. If you get e-crime groups on your network, you need to act decisively and quickly to contain their access. Incident response vendors like Mandiant and Sophos release yearly stats on their incident response engagements. They deal with thousands of incidents like ransomware each year. Those stats from real world engagements show dwell time in organisations — when attackers first gain access to when things go wrong — are measured in days, not hours as the media would suggest. There is almost always a window to identify things are going wrong and intervene.The threat isn’t theoretical — this isn’t disaster recovery, which you’d only invoke in case of a fire. The threat is somebody will deliberately set fire to your infrastructure. You need ways to contain the fire and get the arsonist out of the building, otherwise they will set fire to your backup systems, and take all your things too.Marks and Spencer did some really good things in this area, albeit maybe later than hindsight would like. But left unchecked, it could have been much worse for them, so shutting down remote access and such was absolutely the right thing to do. Does your organisation know how to do that at 3am, and have people who are empowered to make the decisions?It’s time to get serious about building resilient IT systems, locking all the doors, having robust and working containment steps, and to halt the ransomware economic cycle driving these attacks.Big Game Ransomware: the myths experts tell board members was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Incident Report: DragonForce Ransomware Attack at Marks and Spencer
## Executive Summary
Marks and Spencer (M&S) experienced a significant ransomware incident attributed to the DragonForce threat actor (codenamed 'Raymond Reddington'). The response involved immediate, executive-level decision-making to contain the threat by intentionally shutting down parts of the IT estate, acknowledging necessary business disruption to prevent further damage. While the disruption continued for weeks, the analyst strongly refutes the notion that ongoing disruption indicates a failure to pay the ransom, citing extensive experience where post-payment recovery still takes months.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the attack activity began at midnight.
- **Incident Date:** Began at midnight.
- **Affected Organization:** Marks and Spencer (M&S)
- **Sector:** Retail
- **Geography:** UK (Implied, based on source material referring to The Sunday Times and £40m loss figures)
## Timeline of Events
### Initial Access
- **Date/Time:** Midnight (Day 1)
- **Vector:** Not explicitly detailed in the provided text.
- **Details:** The attack was immediately identified, escalating straight to the CEO.
### Lateral Movement
- **Date/Time:** Ongoing through the night.
- **Details:** The adversary was still active, necessitating organizational response.
### Data Exfiltration/Impact
- **Impact Type:** System disruption and operational lockdown due to containment efforts. The text implies potential data exposure, as M&S opted for transparency, contrasting with other victims who deny breaches.
### Detection & Response
- **Detection:** Immediate, escalating to the CEO at midnight.
- **Response Actions Taken:**
- Executive meetings initiated every 3 hours throughout the night.
- **Containment Decision:** They deliberately shut down parts of the IT estate to prevent the attack from spreading, accepting the trade-off of operational impact.
## Attack Methodology
*Note: Specific technical details regarding the attack methodology (e.g., specific TTPs used by DragonForce) are not provided in the source text, only high-level observations about the response.*
- **Initial Access:** Unknown based on source text.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown, but the incident required immediate executive involvement.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown, but containment was initiated before catastrophic spread.
- **Collection:** Implied, as ransomware attacks typically involve data theft.
- **Exfiltration:** Unknown.
- **Impact:** Operational disruption due to decisive containment actions.
## Impact Assessment
- **Financial:** Estimated loss of £40 million per week while disruption continues.
- **Data Breach:** Not specified, though the analyst notes M&S's transparency suggests they are prepared for public acknowledgment of data compromise.
- **Operational:** Significant disruption due to the necessary shutdown of parts of the digital operations. Containment was prioritized over immediate uptime.
- **Reputational:** M&S is praised for its "Radical transparency" compared to other victims (Travelex, Capita, Co-op Group) who labeled incidents as "technical issues."
## Indicators of Compromise
- None provided in defanged format. The threat actor is identified as the **DragonForce** ransomware group, codenamed **'Raymond Reddington'**.
## Response Actions
- **Containment:** Immediate, decisive segmentation/shutdown of the IT estate to halt propagation ("shutting down parts of the IT estate").
- **Eradication:** In progress. The analyst notes that full recovery, even after payment, often requires rebuilding Active Directory and extensive compromise assessments.
- **Recovery:** Ongoing, with continuous business disruption referenced weeks after the initial event.
## Lessons Learned
- **Decisive Containment is Crucial:** Shutting down IT segments to stop spreading malware is a "worthy trade-off," even if it causes short-term operational pain.
- **Transparency is the Best Policy:** Explicitly stating it is a cyber incident (as M&S did) can control the narrative and garner customer understanding.
- **Ransom Payment Does Not Equal Quick Recovery:** Organizations paying ransoms (like Travelex and Capita) frequently take months to recover due to the complexity of remediation tasks (e.g., AD rebuild, poor decryptor quality).
- **Attacker Persistence:** Paying the ransom flags the organization as a willing payer, inviting repeat victimization by the same or other groups.
## Recommendations
- Organizations must establish robust, tested containment plans, including clearly defined decision-making processes for actions like shutting down VPNs and locking administrative access, even at 3 AM.
- Security programs must move past the myth that paying ransom guarantees swift recovery; focus must be placed on pre-incident resilience and rapid containment capabilities.
- Prepare for potential mandatory reporting requirements regarding ransomware incidents currently under review in UK government legislation.