Full Report
M&S chairman Archie Norman provided more insights into the April ransomware attack, but did not confirm whether a payment was made to the attackers
Analysis Summary
# Incident Report: Marks & Spencer Ransomware Attack (April Incident)
## Executive Summary
Marks & Spencer (M&S) suffered a significant ransomware attack in April, confirmed to be related to the DragonForce ransomware operation working alongside loosely aligned actors, possibly including Scattered Spider. The attack caused major disruption, likening the threat to an attempt to destroy the business for financial extortion. The M&S Chairman confirmed the incident during a UK Parliament committee hearing but strategically declined to confirm whether a ransom payment was made, framing the decision as a business choice.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the attack was confirmed publicly in July 2025, referring to an event in April.
- **Incident Date:** April [Year implied to be preceding July 2025].
- **Affected Organization:** Marks & Spencer (M&S)
- **Sector:** Retail
- **Geography:** UK (implied by UK Parliament testimony)
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately April [Undisclosed]
- **Vector:** Ransomware attack. The specific initial entry point is **not detailed** in the provided text.
- **Details:** The attack leveraged the DragonForce ransomware infrastructure, working in cohesion with "loosely aligned" actors.
### Lateral Movement
- Details regarding specific lateral movement techniques are **not provided**. The focus is on the extortion element and executive response.
### Data Exfiltration/Impact
- **Impact:** The primary immediate impact was the attempt by the threat actors to stop customers from shopping at M&S, threatening serious business destruction. The exact nature of data exfiltration is **not detailed**.
### Detection & Response
- **Detection:** The incident was managed internally, culminating in the Chairman testifying about it in July 2025.
- **Response Actions:** The response involved significant business disruption management, and the decision structure around potential ransom payment was assessed as a complex "business decision."
## Attack Methodology
- **Initial Access:** Ransomware deployment, enabled by collaboration with DragonForce and other actors. Specific entry vector (e.g., phishing, exploited vulnerability) is **unknown**.
- **Persistence:** **Unknown**.
- **Privilege Escalation:** **Unknown**.
- **Defense Evasion:** **Unknown**.
- **Credential Access:** **Unknown**.
- **Discovery:** **Unknown**.
- **Lateral Movement:** **Unknown**.
- **Collection:** **Unknown**.
- **Exfiltration:** The text focuses on extortion; specific exfiltration details are **unknown**.
- **Impact:** Business disruption aimed at preventing customers from shopping, driven by extortion/ransom motives.
## Impact Assessment
- **Financial:** Not quantified, but implied to be significant due to the threat of business destruction and the complexity of managing the incident.
- **Data Breach:** Type and volume of data compromised are **not detailed**.
- **Operational:** Significant operational disruption linked to the threat of stopping customer shopping operations.
- **Reputational:** Subject of public testimony before the UK Parliament, suggesting high-level scrutiny.
## Indicators of Compromise
- **Network indicators:** None provided (All Indicators are defanged).
- **File indicators:** None provided.
- **Behavioral indicators:** Extortion attempt via ransomware execution leading to operational lockdown threats.
## Response Actions
- **Containment measures:** Details are **not provided**.
- **Eradication steps:** Details are **not provided**.
- **Recovery actions:** Details are **not provided**.
## Lessons Learned
- **Key takeaways:** Dealing with sophisticated ransomware attacks involving international criminal actors is an unprecedented level of business challenge.
- **What could have been done better:** Not explicitly stated, but the ongoing reluctance to confirm a ransom payment suggests that negotiation/payment protocol was a central, difficult decision point.
## Recommendations
- **Prevention measures for similar incidents:** Given the use of DragonForce infrastructure and aligned actors, robust defense architectures against ransomware, proactive threat hunting for known collaborator groups (like Scattered Spider), and established decision frameworks for handling ransom demands are paramount.