Introduction
Recent ransomware attacks have increasingly targeted major retailers in the UK and the US, with significant incidents involving companies such as Marks and Spencer (M&S), Co-Operative Group (Co-op) [5], and United Natural Foods (UNFI) [3]. These attacks are primarily orchestrated by the criminal group DragonForce, which has been active since 2023 and has recently rebranded as a “Ransomware Cartel.” This group collaborates with other hacking collectives, such as Scattered Spider [2] [3] [7], to execute sophisticated cyberattacks that disrupt operations and compromise sensitive data.
Description
Recent ransomware attacks have targeted major UK retailers [5], including Marks and Spencer (M&S) and Co-Operative Group (Co-op) [5], as well as US companies like United Natural Foods (UNFI). The criminal group DragonForce [5], active since 2023 and recently rebranded as a “Ransomware Cartel,” has been offering ransomware-as-a-service kits to cybercriminal affiliates for a 20% cut of any ransoms collected. They lease their malware through dark web marketplaces and have become increasingly active on major dark web forums. While believed to be based in Malaysia [1], some sources suggest they may also operate from Russia. DragonForce has collaborated with the hacking collective Scattered Spider [5], also known as UNC3944. This loosely organized group of young, English-speaking hackers from the US and UK is recognized for their social-engineering tactics, such as SIM-swapping and impersonation scams [7], which they employ to gain access to systems.
In a notable incident on April 23, DragonForce sent a threatening email to M&S’s CEO [7], Stuart Machin [4], claiming responsibility for a cyberattack that encrypted all servers and stole customer data. The email [4], sent from an employee’s account [4], included a ransom demand and aggressive language, asserting their control over the situation [7]. The attack has cost M&S an estimated £300 million and disrupted online orders for over six weeks [4]. While M&S has not confirmed whether a ransom was paid, cyber-forensics experts noted that the retailer had usable backups [7], enabling them to restore systems without needing to decrypt data [7]. Earlier in February, Scattered Spider infiltrated M&S’s systems, stealing Windows domain credentials and subsequently accessing more information through lateral movement within the network [2]. This breach prompted the involvement of external cybersecurity firms [2], including Crowdstrike and Microsoft [2], to assess the damage [2]. Similarly, DragonForce claimed responsibility for a simultaneous attack on Co-op [4], which caused significant supply chain issues [4]. UNFI also experienced a cyberattack that forced the company to shut down some of its systems [3], disrupting operations [3], although the specifics of the attack and whether any data was stolen remain undisclosed [3].
DragonForce is adept at manipulating helpdesk staff into resetting passwords [5], which provides them with a crucial foothold within networks [5]. Following a breach of a managed service provider (MSP), the group exploited vulnerabilities in the SimpleHelp remote monitoring and management platform to infiltrate downstream customers [6]. This incident exemplifies a supply chain attack utilizing trusted MSP tools [6], highlighting MSPs as prime targets for ransomware gangs [6]. Once inside victim networks, DragonForce conducts network reconnaissance [6], collects customer data [6], and executes double-extortion ransomware attacks [6], leading to encrypted systems and stolen data [6]. These incidents are indicative of a growing trend in cyber attacks [5], necessitating stringent recovery measures to regain control and restore normal operations [5].
The National Cyber Security Centre (NCSC) has warned that ransomware and data extortion are widespread [7], urging organizations to strengthen their defenses against potential attacks from groups like DragonForce and Scattered Spider [7]. To enhance security [5], it is essential to protect initial access points by extending Multi-Factor Authentication (MFA) coverage to internal systems, particularly in Active Directory environments [5], which are prime targets for ransomware groups [5]. Monitoring the usage of privileged accounts is also critical [5], with a focus on cross-tier access where high-privilege accounts interact with lower-security environments [5]. The recent association of DragonForce and Scattered Spider with attacks on US companies indicates a concerning shift in focus from previous targets, highlighting the need for heightened vigilance across the retail sector. Their history of targeting large retailers [2], including previous victims like MGM Resorts and Caesars Entertainment, suggests that more large retailers may be targeted in the future as they continue to exploit vulnerabilities within extensive networks [2]. The extent of collaboration between DragonForce and Scattered Spider remains unclear, but their combined efforts pose a significant threat to organizations across various sectors.
Conclusion
The recent wave of ransomware attacks orchestrated by DragonForce and its affiliates underscores the critical need for robust cybersecurity measures. Organizations must prioritize the implementation of comprehensive security protocols, such as Multi-Factor Authentication and vigilant monitoring of privileged accounts, to mitigate the risk of future attacks. The evolving tactics of these cybercriminal groups, including their focus on supply chain vulnerabilities and collaboration with other hacking collectives, highlight the importance of continuous vigilance and adaptation in cybersecurity strategies. As these threats continue to evolve, businesses across various sectors must remain proactive in safeguarding their networks and data against potential breaches.
References
[1] https://www.inkl.com/news/dragonforce-and-scattered-spider-inside-the-hacker-groups-linked-to-m-s-cyberattack
[2] https://www.cimcor.com/blog/marks-spencer-hit-by-ransomware-attack
[3] https://securityboulevard.com/2025/06/united-natural-foods-hack-richixbw/
[4] https://digitalmarketreports.com/news/40597/ms-hackers-sent-abuse-and-ransom-demand-straight-to-ceo/
[5] https://www.cybersecurityintelligence.com/blog/recent-ransomware-attacks-have-focused-on-identity-gaps-8435.html
[6] https://seceon.com/ransomware-in-the-supply-chain-what-the-dragonforce-attack-means-for-msps/
[7] https://www.thehackacademy.com/news/marks-spencer-reopens-website-six-weeks-after-dragonforce-scattered-spider-cyber-attack-retailer-warns-of-300-m-profit-hit/
