Introduction
The Scattered Spider hacking group [5] [8] [11] [12], also known by various aliases such as 0ktapus and UNC3944, orchestrated a significant ransomware attack on Marks & Spencer (M&S) in early 2025. This attack, which exploited vulnerabilities in M&S’s security systems, led to substantial operational disruptions and financial losses for the company.
Description
The Scattered Spider hacking group [5] [8] [11] [12], also known as 0ktapus [1] [3] [8], Starfraud [3] [8], Scatter Swine [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12], Muddled Libra [3] [6] [8], or UNC3944 [6], is a highly active and dangerous organization responsible for a significant ransomware attack on British multinational retailer Marks & Spencer (M&S) that began in February 2025. This attack exploited vulnerabilities in Active Directory security and enterprise privilege management [9], utilizing sophisticated social engineering tactics such as phishing, SIM swapping [1] [3] [4] [6] [8] [12], and multi-factor authentication (MFA) bombing to gain unauthorized access to M&S’s internal systems. By April 24, 2025 [1] [6] [9], the attackers deployed DragonForce ransomware [5] [9], which encrypted M&S’s servers and VMware virtual machines [9], locking the organization out of its infrastructure and leading to substantial operational disruptions for over a week.
The attack severely disrupted payment systems, including contactless payments and online orders [3], resulting in empty shelves in some M&S food stores and prompting approximately 200 warehouse employees to stay home. Although contactless payments have since been restored, online orders were halted [10], and delays in click-and-collect orders persisted. Customers faced frustrations due to limited product availability, indicating broader supply chain disruptions [5]. M&S experienced a loss of approximately £650 million in stock market valuation, with daily losses estimated at £3.5 million from halted online sales [5]. While customers could still shop in physical stores [8], they encountered limited return options for food items and were unable to use gift cards. M&S acknowledged the incident [5] [7], apologizing to customers and notifying the London Stock Exchange [7], while also communicating that it was managing the situation proactively and reassuring customers that no action was required from them at this time [2].
Scattered Spider is recognized for targeting large multisite organizations and employing a decentralized network of hackers, allowing for rapid evolution of tactics and making them difficult to track [12]. Once inside [9], the group targeted Active Directory Domain Controllers to extract the NTDS.dit file [9], which contains user password hashes and the main database for Active Directory Services. This breach allowed the attackers to access Windows account passwords in plain text and spread through the network [7]. They then employed hash cracking methods with Hashcat to gain higher privileges [9]. For lateral movement [9] [11], Scattered Spider utilized pass-the-hash (PtH) attacks and forged Kerberos tickets [9], allowing them to access critical systems without alerting domain controllers [9].
The group has a history of data theft for extortion purposes and has evolved from financial fraud and social media hacking to stealing cryptocurrency and conducting extortion attacks on company data. Investigators believe the hackers utilized a tool from the DragonForce group [10], complicating efforts to identify the perpetrators [10], with Scattered Spider being a primary focus of the investigation [10]. DragonForce has emerged as a service-based operation since December 2023 [12], and Scattered Spider has previously acted as affiliates for other ransomware groups [12], linking them to various attacks through common tactics like credential harvesting and help desk impersonation [12].
Scattered Spider has been linked to over 100 targeted attacks across various industries [2], including retail [1] [2] [3] [5] [7] [8] [9], finance [2], and gaming [1] [2] [12], since its emergence in 2022 [2]. Notable past attacks include those on casino operators Caesars Entertainment and MGM Resorts International [2], where significant ransoms were demanded [2]. Law enforcement in the US [12], UK [2] [3] [5] [6] [7] [8] [12], and Spain has intensified efforts against Scattered Spider [12], resulting in several arrests over the past two years [12]. Despite this pressure [12], the group continues to execute high-impact attacks [12], primarily targeting large businesses and cloud-hosted infrastructure [12]. Cybersecurity firm Silent Push had previously warned that Scattered Spider was actively targeting major companies [7], indicating ongoing threats to organizations [7]. The extent of the data compromise in the M&S attack remains unclear [8], but there is a legal obligation for M&S to report any data breaches to the UK Information Commissioner’s Office (ICO) under the 2018 UK Data Protection Act [8]. This incident highlights the need for enterprises to enhance their defenses against sophisticated ransomware threats [9], particularly by redesigning their Active Directory infrastructure and improving incident response planning [9]. M&S has sought assistance from cybersecurity experts at CrowdStrike [7], Microsoft [3] [4] [7] [12], and Fenix24 [3] [4] [7] [12], as well as GCHQ’s National Cyber Security Centre, the Metropolitan Police [10], and the National Crime Agency to investigate and respond to the incident, as ongoing shortages were anticipated to last another week due to the attack’s impact.
Conclusion
The attack on M&S by Scattered Spider underscores the critical need for robust cybersecurity measures, particularly in safeguarding Active Directory systems and enhancing incident response strategies. The financial and operational impacts of such breaches are profound, as evidenced by M&S’s significant market valuation loss and operational disruptions. Moving forward, organizations must prioritize cybersecurity resilience to mitigate the risks posed by sophisticated hacking groups like Scattered Spider. The collaboration between M&S and cybersecurity experts, along with law enforcement, highlights the importance of a coordinated response to cyber threats.
References
[1] https://www.lbc.co.uk/news/explained/marks-and-spencer-cyber-attack-scattered-spider/
[2] https://news.sky.com/story/who-are-scattered-spider-how-the-notorious-hackers-linked-to-mands-cyber-attack-work-13358559
[3] https://www.newsbytesapp.com/news/science/marks-spencer-cyberattack-linked-to-scattered-spider-ransomware-group/story
[4] https://www.techradar.com/pro/security/marks-and-spencer-outage-allegedly-linked-to-scatteredspider-ransomware-attack
[5] https://hackread.com/scattered-spider-suspected-in-major-ms-cyberattack/
[6] https://stories.jobaaj.com/news-updates/tech/m-s-cyberattack-by-scattered-spider-what-really-happened
[7] https://www.siliconrepublic.com/enterprise/mands-woes-continue-as-scattered-spider-ransomware-suspected-cyber-attack
[8] https://www.cybersecurityintelligence.com/blog/scattered-spider-hacking-group-is-behind-the-attack-on-mands-8392.html
[9] https://www.pcquest.com/security-products/ms-malware-attack-explained-step-by-step-how-the-hackers-broke-everything-9016904
[10] https://www.techdigest.tv/2025/04/metropolitan-police-called-in-to-investigate-ms-scattered-spider-cyber-attack.html
[11] https://www.computing.co.uk/news/2025/security/m-s-cyberattack-linked-to-scattered-spider
[12] https://dailysecurityreview.com/security-spotlight/marks-spencer-cyberattack-tied-to-scattered-spider-ransomware-group/
