Scattered Spider Suspected in Major M&S Cyberattack

The cyberattack on Marks & Spencer (M&S) is linked to the notorious Scattered Spider group. Explore the severe impact of the incident on M&S, including contactless payment failures, online delivery delays, and significant stock shortages in physical locations.

The recent cyber-attack that significantly disrupted operations at the British retailer Marks & Spencer (M&S) has now been linked to a notorious hacking collective known as Scattered Spider, the same group implicated in the high-profile 2023 attack on MGM Resorts.

As per Hackread.com’s initial report on April 23, 2025, the attack resulted in the shutdown of contactless payment systems, the Click and Collect order service, and delays in online deliveries, causing customer frustrations over the inability to use these crucial services. The report also noted that M&S had paused online orders and that cyber security experts believed the symptoms were consistent with a ransomware attack, where data is encrypted, and a ransom is demanded for its release.

The latest updates reveal astonishing details. Reportedly, hackers’ initial access to M&S’s systems may have occurred much earlier, in February, when they, allegedly, stole the NTDS.dit file from the Windows domain. This file is a crucial database containing all the user accounts and passwords for a Windows network managed by Active Directory Services. Obtaining and cracking this file would have provided the attackers with a list of plain-text passwords, enabling them to move laterally across the M&S network and gain control over more systems.

Following this initial access, investigation reveals that the attackers deployed the DragonForce encryptor against M&S’s virtual machines running on VMware ESXi hosts, with the main attack being launched on April 24th. Investigators have now pointed towards Scattered Spider as the responsible group.

The incident has had a significant impact, extending beyond crippling online services. The company has admitted to “pockets of limited availability” in its physical stores, with customers reporting empty shelves nationwide, suggesting disruptions to the supply chain. Moreover, online purchases have been paused, and gift card transactions are still affected.

The financial impact is significant, with around £650 million reportedly wiped off M&S’s stock market valuation and estimated daily losses from the online sales suspension could be around £3.5 million.

The retailer has been tight-lipped about the specifics of the cyber-attack and the timeline for full recovery, stating that taking systems offline was a proactive measure leading to the current shortages and is working to restore normalcy. However, in-store staff anticipate disruptions could last another week.

As per Hackread.com’s assessment of Scattered Spider, it is a unique hacking group that doesn’t operate as a cohesive unit but as a collection of individuals who vary with each attack, making them hard to track. They are known for using advanced social engineering and BlackCat ransomware.

Many members are believed to be native English speakers from Western Europe and the USA. Although some members were arrested in the USA and UK, Scattered Spider remains active and dangerous, as shown by their alleged involvement in the M&S cyber-attack, highlighting their continued ability to disrupt major organizations.