UK Retailers Hit by New Wave of Ransomware Attacks
Some big names in UK retail have been having a tough time since the beginning of May, enduring a wave of cyberattacks from a young hacking collective, and the USA is next on their list of targets.
Major Victims and Impact
One victim was the high-end food, clothing, and home goods retailer Marks & Spencer (M&S). The business had been ailing for years but was well on the way to turning things around after a successful 2022 revamp strategy. But just after it posted its highest year-end profit in decades, the cyberattack hit, and it will cost the company an estimated £300 million ($403 million). Ongoing issues with online services, contactless payments, and its click-and-collect service are expected to continue until July. The cyberattack occurred on April 22, 2025. M&S confirmed customer data was stolen on May 13, 2025.
Similarly, community-focused supermarket Co-op operates more than 2,500 supermarkets as well as 800 funeral homes and an insurance business. It employs around 70,000 staff nationwide, and it was attacked around the same time as M&S. Fortunately, Co-op’s IT team detected the attack and quickly took systems offline before the ransomware could encrypt its data. They were too late to stop customer information from being stolen, but their prompt action likely saved the business from the kind of huge losses that M&S is now facing. Co-op detected attempts to gain unauthorized access on April 22, 2025, and confirmed data theft occurred in April 2025. They were forced to shut down IT systems on April 30, 2025.
Following these incidents,the next victim was Harrods, the world-famous luxury London department store, but it seems to have fared much better. It took systems offline, restricting internet access to contain the attack, and this seems to have been largely successful, with only minor problems reported. Harrods confirmed a cyberattack on May 1, 2025, with the intrusion detected in late April 2025.
Adding to the list of affected companies, Adidas, the global sportswear giant, also confirmed a data breach impacting UK customers who had previously engaged with their customer service. This incident, while not attributed to ransomware and distinct from the attacks on M&S and Co-op, highlights another critical vulnerability for large retailers: third-party service providers. An ‘unauthorised external party’ gained access to customer contact information (such as names and email addresses) through one of Adidas’s external customer service vendors. Adidas has stated that no financial information or passwords were compromised in this particular breach, and they are currently investigating and notifying affected individuals. Adidas disclosed its data breach on May 23, 2025.
Finally, Peter Green Chilled, a logistics company that puts chilled foods on the shelves of major UK supermarkets, including Tesco, Aldi, Sainsbury’s, and Co-op, experienced a ransomware attack on May 14. This affected deliveries to all those stores and left many of their chillers empty. No one has claimed responsibility for this attack so far, but the timing and the ransomware element have led some to speculate that it might have been carried out by the same group, Scattered Spider.
Scattered Spider
Delving deeper into the attackers, Scattered Spider (also known as UNC3944, Octo Tempest, and other names) is the prime suspect, but in the murky world of cybercrime, it can be difficult to establish who is responsible for such attacks. According to the National Crime Agency (NCA) in a recent BBC documentary, this ransomware group is thought to be a loose collective of generally young English-speaking hackers, mostly from the US and UK, and operational since 2022. Notably, Google’s Threat Intelligence Group (GTIG) researchers stated the hacks were consistent with Scattered Spider targeting. Conversely, others have mentioned DragonForce, a ransomware group that divides its time between hacktivism (politically motivated hacking) and straightforward profit-driven cybercrime.
While the Co-op attackers claimed to be from DragonForce, some experts suspect them of being Scattered Spider members due to the use of sophisticated phishing campaigns to trick employees into revealing their login credentials.
Method of Attack
Regarding their method of attack, victim companies don’t always reveal the full details of cyberattacks, particularly when investigations are ongoing, but human error is a major factor in the M&S case. Scattered Spider members have been known to pay people to act on their behalf, and in this instance, a couple of individuals got in touch with the IT helpdesk and pretended to be employees of Tata Consultancy Services, a third-party IT services contractor. They reportedly talked the helpdesk staff into changing the passwords of the workers they were impersonating. This gave them access to M&S systems where they went undetected for 52 hours, plenty of time to install their DragonForce ransomware tools.
DragonForce operates as a Ransomware-as-a-Service (RaaS) group and sells access to its ransomware tools and infrastructure to affiliates. Under this ‘business’ model, affiliates can use DragonForce’s ransomware encryptors, negotiation platforms, and data leak sites to conduct attacks, often under their own branding. DragonForce takes a percentage of the ransom payments, typically 20-30%, according to various sources.
Furthermore, it has also introduced a “cartel” model, which it announced in May 2025. This allows affiliates to create customized ransomware brands using DragonForce’s infrastructure, lowering the technical barrier for cybercriminals.
Wake-up Call
These incidents serve as a wake-up call. Tricking a helpdesk employee is a classic social engineering tactic. Major companies will often invest huge amounts of money in state-of-the-art cybersecurity tools, but the M&S attack shows that sometimes all it takes to sidestep multilayered technical defences is the ability to talk somebody into doing something that they shouldn’t. The lapse of vigilance in this case effectively handed over the keys to the business and caused hundreds of millions of dollars in damage, an extreme example of why you can never have too much cybersecurity training.
The UK’s National Cyber Security Centre described this spate of attacks as a wake-up call for all retail sector businesses and has issued various recommendations:
- Review IT Help Desk Processes: Strengthen identity verification for password resets, especially for senior staff, to counter social engineering.
- Deploy Multi-Factor Authentication (MFA): Implement MFA across all systems for an extra layer of security against unauthorized access.
- Monitor Risky Logins: Use tools like Microsoft Entra ID Protection to flag and investigate logins from unusual times or locations (e.g., residential VPNs).
- Audit Admin Accounts: Regularly verify access for Domain, Enterprise, and Cloud Admin accounts to ensure only legitimate users have elevated privileges.
- Enhance Security Team Capabilities: Enable teams to detect and block logins from suspicious sources to prevent breaches.
USA Retailers Already Under Attack
Looking across the Atlantic, Google’s Threat Intelligence Group and the FBI have issued warnings that Scattered Spider has shifted its focus to US retail targets, with attacks on big retail companies are underway. While the exact names of other targeted US retailers are not publicly disclosed due to ongoing investigations and privacy concerns, sources report that between three and five US retailers have been hit. So, the message is clear: be vigilant. Assume you are the next victim and follow the guidance, then you’ll stand a better chance of not being one.
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Related Articles
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!
