UK Retail Cyberattacks: A Deep Dive into the 2025 Ransomware Wave

Breached Company

Breached Company

7 min read
UK Retail Cyberattacks: A Deep Dive into the 2025 Ransomware Wave
Photo by Nick Fewings / Unsplash

Introduction

In the spring of 2025, a wave of sophisticated cyberattacks swept through the UK retail sector, targeting high-profile brands Harrods, Marks & Spencer (M&S), and the Co-operative Group (Co-op). These incidents, linked to the elusive hacking collective Scattered Spider, have exposed vulnerabilities in the retail industry's cybersecurity infrastructure. Unlike traditional cybercrime groups often based in regions like Russia or Eastern Europe, Scattered Spider operates as a decentralized, English-speaking network, making it a unique and potent threat. With ransomware attacks disrupting operations, compromising customer data, and costing millions in losses, the UK’s National Cyber Security Centre (NCSC) has issued urgent calls for retailers to strengthen their defenses. This article explores the details of these attacks, the tactics of Scattered Spider, their impact on the retail sector, and the broader implications for cybersecurity in the UK.

The Attacks: A Timeline of Disruption

Marks & Spencer: A Crippling Ransomware Strike

On April 21, 2025, M&S customers began reporting issues with contactless payments and click-and-collect services, signaling the start of a major cyber incident. The company confirmed a “cyber incident” later that day, and by April 25, M&S suspended all online orders, halting a critical revenue stream that generates approximately £3.8 million daily. The attack, identified as a ransomware assault, encrypted key servers using the DragonForce ransomware tool, rendering systems inaccessible. BleepingComputer reported that the breach may have begun as early as February 2025, when hackers allegedly stole the Windows domain’s NTDS.dit file, a database containing password hashes that enabled lateral movement across M&S’s network. The financial toll was severe: over £700 million was wiped off M&S’s market value, with shares dropping 6.5% in the week following the attack. The company also paused recruitment, removing nearly 200 job listings, and faced stock shortages in stores due to disrupted automated inventory systems.

Harrods: A Swift Response to an Attempted Breach

On May 1, 2025, Harrods, the iconic London department store owned by the Qatar Investment Authority, reported an attempted cyberattack. While the retailer did not confirm a successful breach, it restricted internet access across its sites, including the flagship Knightsbridge store, H beauty outlets, and airport shops, as a precautionary measure. Harrods’ IT security team acted swiftly to contain the threat, and the company assured customers that no immediate action was required, suggesting no data was compromised. Although details remain scarce, experts speculate that the attack may be linked to the same vulnerabilities exploited in the M&S and Co-op incidents, potentially involving a shared supplier or technological weakness.

Co-operative Group: Customer Data at Risk

The Co-op, a major British consumer cooperative operating over 2,000 grocery stores and 800 funeral parlors, disclosed an attempted cyberattack on May 1, 2025. The incident disrupted back-office and call center functions, prompting the shutdown of parts of its IT systems. Unlike Harrods, Co-op confirmed that customer data was compromised, though stores remained operational. The attack was linked to the DragonForce ransomware, with BleepingComputer citing sources that pointed to Scattered Spider’s involvement. The NCSC and Metropolitan Police are investigating, with the Co-op working to restore affected systems while managing the fallout from the data breach.

Scattered Spider: The Unconventional Threat

Scattered Spider, also known as Octo Tempest, UNC3944, or Muddled Libra, is a loosely organized hacking collective that stands out in the cybercrime landscape. Unlike traditional ransomware groups often based in Russia or other regions with permissive cybercrime environments, Scattered Spider comprises predominantly young, English-speaking individuals, some as young as 16, from the UK and US. This demographic, combined with their sophisticated tactics, makes them a unique and formidable adversary.

Tactics, Techniques, and Procedures (TTPs)

Scattered Spider’s playbook relies heavily on social engineering and exploiting human vulnerabilities rather than solely targeting technical flaws. Their methods include:

  • Phishing and MFA Fatigue: Hackers send phishing emails or bombard users with multi-factor authentication (MFA) prompts, hoping to trick employees into approving access out of frustration or error.
  • SIM Swapping: By convincing phone providers to transfer a victim’s phone number to a hacker-controlled SIM card, attackers bypass two-factor authentication and gain access to sensitive accounts.
  • Impersonation: Posing as IT staff or employees, hackers exploit trust to extract credentials or install malware. Their native English proficiency enhances the effectiveness of these social engineering attacks.
  • Ransomware-as-a-Service (RaaS): Scattered Spider collaborates with RaaS providers like DragonForce, purchasing ransomware tools on the dark web to encrypt systems and demand cryptocurrency payments.

The group’s initial breach of M&S, for example, involved stealing the NTDS.dit file, which allowed them to crack password hashes and spread laterally across the network undetected for months. Their use of DragonForce ransomware, deployed on April 24, 2025, targeted VMware ESXi hosts, encrypting virtual machines and paralyzing M&S’s operations. Silent Push, a cybersecurity firm, noted that Scattered Spider updated its phishing kits in 2025, with a fifth kit observed hosted on Cloudflare, indicating ongoing evolution in their TTPs.

A Global Track Record

Scattered Spider has a history of high-profile attacks, including the 2023 breaches of MGM Resorts and Caesars Entertainment, which resulted in $100 million and $75 million in losses, respectively. The group’s ability to target consumer-facing organizations with heavy reliance on digital infrastructure makes them particularly disruptive. Their decentralized structure, with members coordinating via hacker forums, Telegram, and Discord, complicates law enforcement efforts. While arrests have been made—such as Tyler Robert Buchanan, a 23-year-old alleged leader detained in Spain in 2024—the group remains active, with an estimated 1,000 members worldwide.

Impact on the UK Retail Sector

The 2025 cyberattacks have exposed systemic vulnerabilities in the UK retail sector, which processes millions of transactions daily and handles vast amounts of personal data. The financial and operational impacts are significant:

  • Financial Losses: M&S’s market value plummeted by over £700 million, with daily online revenue losses of £3.8 million. Harrods and Co-op, while less transparent about financial impacts, likely faced substantial costs in response and recovery efforts.
  • Operational Disruption: M&S’s suspension of online orders, halted recruitment, and empty store shelves disrupted customer trust and supply chains. Co-op’s back-office and call center outages strained customer service, while Harrods’ restricted internet access affected in-store operations.
  • Data Breaches: Co-op’s confirmed data breach raises concerns about customer privacy, with potential long-term reputational damage. M&S has not confirmed a data breach, but the nature of ransomware attacks often involves data theft, leaving customers wary.
  • Reputational Damage: The prolonged outages and uncertainty have eroded consumer confidence, particularly for M&S, which faces competition from more resilient retailers. Harrods, already navigating a separate scandal involving former owner Mohamed Fayed, risks further reputational strain.

The UK Parliament’s Business and Trade Committee has summoned the CEOs of Harrods, M&S, and Co-op to testify on the incidents, seeking clarity on NCSC support and compliance with cybersecurity frameworks. Experts argue that the retail sector’s reliance on legacy systems, decentralized IT infrastructure, and lack of mandatory cybersecurity audits have left it exposed.

The NCSC’s Call to Action

The NCSC, part of GCHQ, has responded to the attacks by urging retailers to bolster their cybersecurity. On May 1, 2025, NCSC CEO Richard Horne stated, “The disruption caused by the recent incidents impacting the retail sector is naturally a cause for concern to those businesses affected, their customers, and the public.” The agency recommends:

  • Patch Management: Regularly update systems to address known vulnerabilities, as DragonForce often exploits outdated software.
  • Employee Training: Educate staff on phishing, social engineering, and MFA fatigue to reduce human error.
  • Network Segmentation: Limit lateral movement by isolating critical systems, preventing hackers from spreading across networks.
  • Incident Response Plans: Develop and test robust plans to minimize downtime and data loss during attacks.
  • Consumer Guidance: Advise customers to monitor bank activity, update passwords, and avoid reusing credentials across platforms.

The NCSC is collaborating with affected retailers, the Metropolitan Police, and the National Crime Agency to investigate the attacks. M&S has also engaged cybersecurity firms CrowdStrike, Microsoft, and Fenix24 to assist in recovery efforts.

Broader Implications for Cybersecurity

The 2025 retail cyberattacks underscore several critical trends in the cybersecurity landscape:

  • Ransomware-as-a-Service Growth: The accessibility of tools like DragonForce on the dark web lowers the barrier for cybercriminals, enabling even less-skilled hackers to launch sophisticated attacks.
  • AI-Driven Threats: Cybersecurity expert Cody Barrow of EclecticIQ warned that generative AI is accelerating the threat landscape, making it easier for hackers to craft convincing phishing emails and social engineering scripts.
  • Sector-Wide Vulnerabilities: Jake Moore of ESET noted that a successful attack on one retailer often triggers a “domino effect,” with hackers targeting similar companies in the same sector. The Co-op and Harrods incidents following M&S’s breach exemplify this trend.
  • Regulatory Gaps: Unlike financial services or critical infrastructure, the retail sector lacks stringent cybersecurity regulations, leaving it vulnerable to attacks. Experts call for mandatory audits and compliance frameworks to address this gap.

Conclusion

The 2025 cyberattacks on Harrods, M&S, and Co-op, linked to the Scattered Spider hacking collective, have sent shockwaves through the UK retail sector. With ransomware disrupting operations, compromising data, and costing millions, these incidents highlight the urgent need for stronger cybersecurity measures. Scattered Spider’s unconventional tactics, leveraging social engineering and RaaS tools like DragonForce, underscore the evolving nature of cyber threats. As the NCSC and retailers work to contain the damage, the broader implications for consumer trust, regulatory reform, and sector-wide resilience are clear. Retailers must prioritize cybersecurity as a boardroom issue, investing in modern systems, employee training, and incident response to prevent future breaches. For now, the UK retail sector remains on high alert, wary of the next move by Scattered Spider and other opportunistic cybercriminals.

Sources

  • Al Jazeera, “Harrods, M&S hit by cyberattack: What happened, who’s behind it?”
  • BleepingComputer, “Marks & Spencer breach linked to Scattered Spider ransomware attack”
  • The Guardian, “M&S cyber-attack linked to hacking group Scattered Spider”
  • Reuters, “Harrods is latest British retailer to be hit by cyber attack”
  • The Standard, “Who are Scattered Spider? The hacking group behind cyber-attacks on Marks & Spencer”
  • Posts on X, @PureCyberLtd and @Techmeme

Read more

Iranian Cyber Espionage: Lemon Sandstorm’s Prolonged Attack on Middle East Critical Infrastructure

Iranian Cyber Espionage: Lemon Sandstorm’s Prolonged Attack on Middle East Critical Infrastructure

Introduction Between May 2023 and February 2025, the Iranian state-sponsored hacking group Lemon Sandstorm, also known as Rubidium, Parisite, Pioneer Kitten, or UNC757, conducted a sophisticated and prolonged cyber espionage campaign targeting critical infrastructure in the Middle East. Exploiting vulnerabilities in VPN systems from Fortinet, Pulse Secure, and Palo Alto

By Breached Company