Skip to main content

Retail Ransom: The UK's Cyber Crisis

In the last few weeks, Recent cyberattacks on the UK retail sector have made headlines in particular M&S, Harrods, and the CO-OP. These attacks have hit retailers hard, with M&S losing £1 billion in market value alone. Retailers have faced empty shelves, electronic payment failures, and delayed deliveries as a result.

A blog post from the NCSC on the 4th May 2025 says 

“Whilst we have insights, we are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all. We are working with the victims and law enforcement colleagues to ascertain that.”  

Quote from NCSC blog post https://www.ncsc.gov.uk/blog-post/incidents-impacting-retailers

A cybercriminal group known as Scattered Spider appears to be the likely culprit.

Who is Scattered Spider?

Scattered Spider is a cybercriminal group known for targeting large organizations, particularly in retail, finance, telecoms, and gaming. They specialise in social engineering. They impersonate IT staff, use SIM swapping, and exploit multi-factor authentication fatigue to gain access.

How They Operate

  • Phishing & impersonation: They pose as IT staff to steal credentials.
  • SIM swapping: They hijack phone numbers to bypass security measures.
  • Ransom demands: They encrypt systems and demand payment to restore access.

Group Affiliations

  • BlackCat/ALPHV: Scattered Spider has been affiliated with this group and has used its ransomware in high-profile attacks.
  • RansomHub: Scattered Spider has moved to using RansomHub in recent attacks.
  • The DragonForce Group:  There are unconfirmed links between Scattered Spider and the DragonForce group although some reports do claim that the DragonForce group have claimed responsibility for the M&S breach indicating that Scattered Spider may be affiliated with them. DragonForce is a cybercriminal group that deploys its own ransomware strain, DragonForce ransomware, in attacks.
  • The Community ("The Com"): Scattered Spider is believed to be part of a broader hacking community known as "The Community" or "The Com," a group of hackers known to be involved in some high-profile breaches.

These affiliations would suggest that Scattered Spider is highly adaptable and leverages different ransomware strains depending on their operational needs.

The group has shown interest in the past for supply chain vulnerabilities which could go a long way to explaining how three major retailers were hit in quick succession.

Why Scattered Spider is considered the most likely target.

  • Tactics and Techniques: Scattered Spider is known for using sophisticated social engineering tactics, often targeting IT help desks to reset credentials and bypass multi-factor authentication. Reports have emerged suggesting that the attacks on M&S and Co-op involved tricking IT workers into providing access.
  • Ransomware: While not always the primary goal, Scattered Spider has been associated with ransomware deployment, including the DragonForce ransomware from the DragonForce group, which some reports suggest was used in the M&S attack.
  • Target Profile: Scattered Spider typically targets large organizations across various sectors, including retail, and the recent victims (M&S, Harrods, Co-op) fit this profile.
  • English-Speaking Group: Scattered Spider is believed to be comprised largely of young, English-speaking individuals based in the UK and the US, which aligns with the location of the affected retailers.
  • Previous Attacks: The group has a history of high-profile attacks, including those on major US casino operators Caesars Entertainment and MGM Resorts International, demonstrating their capability to cause significant disruption.
  • Media Reports and Expert Analysis: Numerous cybersecurity experts and media outlets have identified Scattered Spider as the leading suspect in the M&S attack and potentially linked to the incidents at Harrods and Co-op as well.

MITRE ATT&CK provides a detailed breakdown of Scattered Spider’s tactics, techniques, and procedures (TTPs), helping cybersecurity teams understand their attack patterns. More information on Scattered Spider can be found at this link https://attack.mitre.org/groups/G1015/.

Key Takeaways

·        Social Engineering is the Weak Link: Cybercriminals are bypassing traditional defences by exploiting human vulnerabilities, tricking IT staff into resetting credentials, and evading multi-factor authentication.

·        Supply Chain Risks: Retailers rely on complex digital ecosystems, making third-party vendors a potential entry point for attackers. Businesses must audit their external partners to identify security gaps.

·        Ransomware Evolution: Groups like Scattered Spider are not just encrypting files but stealing data first, giving them leverage to demand higher ransoms with the threat of exposure.

·        Prevent (MFA) Fatigue exploits: Hackers are overwhelming employees with repeated authentication requests until they inadvertently approve access. Companies must educate staff on recognizing MFA abuse.

·        Proactive Threat Hunting: Relying solely on firewalls and antivirus software is no longer enough. Businesses must implement advanced threat detection to spot unusual access patterns before an attack unfolds.

With three major retailers hit in just two weeks, it raises the question: Is the UK retail sector ready for the next attack? And where will it come from?

Labels:

Comments

Post a Comment

Popular posts from this blog

Root of the Problem: Linux Flaws That Give Attackers Admin Rights

 I realised that I haven’t posted to my blog in a long time and this week an article about CVE’s in linux caught my eye and that was the perfect excuse to write another blog post. Cybersecurity researchers at Qualys have uncovered two critical local privilege escalation (LPE) flaws that are shaking the foundations of Linux security. These aren't your run-of-the-mill vulnerabilities; we're talking about direct, express lanes to full root access on major Linux distributions. If you use Ubuntu, Debian, Fedora, openSUSE Leap 15, or SUSE Linux Enterprise 15, you need to pay close attention. The Double Threat: CVE-2025-6018 & CVE-2025-6019 An article detailing the CVE’s can be found at the link below ( CVE-2025-6018 and CVE-2025-6019 Vulnerability Exploitation: Chaining Local Privilege Escalation Flaws Lets Attackers Gain Root Access on Most Linux Distributions | SOC Prime )     Qualys has pulled back the curtain on two distinct, yet chainable, vulnerabilit...
Post a Comment
Read more

From OVA to Rocky: My Wazuh Upgrade Story

  In this blog post I will be covering something I’ve covered in a previous blog post, but I’ve decided to change my home lab and put my Wazuh SIEM on a standalone rocky linux, there are several reasons I chose to do this, Performance & Scalability: The OVA VM is a pre-built virtual machine that may not be optimized for high availability or scalability. A dedicated instance on Rocky Linux allows for better resource allocation and tuning. Customization & Flexibility: The OVA VM comes with predefined configurations. Running Wazuh on Rocky Linux gives you full control over system settings, security policies, and software updates. Compatibility & Stability: Rocky Linux is a stable, enterprise-grade OS, and Wazuh has been tested for compatibility with newer versions like Rocky Linux 9.3. This ensures long-term support and reliability. Security & Isolation: A dedicated instance provides better security isolation compared to a shared virtualized environment. You can impl...
Post a Comment
Read more

Up the Wazuh: A SIEM-ple Adventure in Troubleshooting

Initial setup To start  I downloaded the .osa file from the  wazuh website ( https://wazuh.com ) and then installed it in my virtualbox hypervisor. Then I booted up my fedora linux VM and the wazuh VM with the dashboard and manager on.  After I had logged in to the wazuh VM with the default credentials I used the ip a command to find out the ip address of the wazuh VM. As from reading the documentation I’d need this later. In my fedora VM I opened a terminal and used the commands on the wazuh website to install the agent on the VM. After some time the installation was completed and I had to update the. conf file with the IP address of the wazuh manager. This is important because  the file is a generic file that needs to be modified to make it specific to each individual setup.  All was going well up to this point. I tried to get the fedora VM to talk to the wazuh VM. The problems I encountered It was here the problems started when I tried to pi...
Post a Comment
Read more