The hacking collective identified as Scattered Spider has been connected to a significant cyberattack that has severely impacted Marks & Spencer.

A report from BleepingComputer, a technology news outlet, indicates that the group executed a ransomware assault on the grocery retailer’s IT infrastructure. Sources within the industry have noted that criminal organizations often demand ransoms reaching up to £10 million to restore system access.

This unverified report states that the group, reportedly composed of teenagers and young adults based in the US and UK, initially breached the FTSE 250 retailer’s systems back in February.

Marks & Spencer has disclosed no timeline for resolving the ongoing issues, which are believed to affect operations at all 1,049 of its UK locations. Following the revelation of the incident last week, the company’s stock has seen a nearly 7% decline.

According to BleepingComputer, Marks & Spencer is collaborating with CrowdStrike, Microsoft, and Fenix24 to investigate and mitigate the effects of the attack, particularly concerning disruptions in payments and order processing.

The hackers allegedly extracted the NTDS.dit file from Marks & Spencer’s Windows domain in February. This critical file serves as the central database for Windows Active Directory, storing domain information including user accounts, passwords, and security credentials. If compromised, it provides malicious actors with the means to extract sensitive credentials and jeopardize the entire network.

Sources informed BleepingComputer that the group utilized the “DragonForce” encryption method to lock files, rendering systems and data inaccessible until a ransom is settled, typically demanded in cryptocurrency in exchange for a decryption key.

It’s currently uncertain if Marks & Spencer is being held for ransom, but insiders indicated that any potential demand could be around £10 million. This is reportedly a common ransom target for well-known brands like Marks & Spencer.

Experts highlight that paying a ransom can present both immediate and ongoing complications for businesses. While it may facilitate a swift return to normal operations and safeguard customer information, there are substantial risks of encouraging criminal behavior and creating a pattern of targeting for the organization; plus, payment does not guarantee a successful decryption.

Law enforcement generally advises against meeting ransom demands, arguing that it supports the expanding ransomware market and erodes collective cybersecurity initiatives.

Marks & Spencer has reportedly instructed around 200 agency employees at its primary distribution hub to remain at home while pausing online orders, according to Sky News. These agency workers constitute approximately 20% of the workforce at the Castle Donington logistics center.

As of last Friday, Marks & Spencer suspended online orders, with customers using click-and-collect services advised to wait for notifications before heading to stores.

The retailer, which employs around 65,000 people, has temporarily restricted remote access to certain internal IT systems for staff.

While employees can still work remotely, access to critical internal systems has been limited as part of the incident response, sources reported.

Marks & Spencer is taking precautionary steps to protect its network and has reported the incident to relevant data protection authorities and the National Cyber Security Centre.

This cyber event poses a setback for Marks & Spencer, which has recently shown positive results from its turnaround strategy under CEO Stuart Machin, achieving growth in sales and pre-tax profits.

Marks & Spencer has chosen not to comment on the matter.

Insights into Scattered Spider

The group known as Scattered Spider, linked to the Marks & Spencer cyber incident, is a collective of hackers operating in the US and UK.

Active since at least May 2022, Scattered Spider, also referred to by names such as “Scatter Swine” and “Muddled Libra,” has been involved in various high-profile attacks against major corporations.

In September 2023, members of this group infiltrated the networks of casino giants Caesars Entertainment and MGM Resorts International, demanding substantial ransom payments. Caesars reportedly paid approximately $15 million to regain control of its systems.

Following this incident, Moody’s highlighted potential credit rating repercussions for MGM Resorts.

CEO Bill Hornbuckle disclosed that for nearly a week post-attack, MGM Resorts was largely uninformed about critical aspects of its operations.

Scattered Spider has employed multiple social engineering tactics to breach company systems, including “SIM swapping,” in which they convince mobile carriers to transfer a target’s number to a SIM card they control, thereby bypassing multi-factor authentication.

Members of this hacking syndicate have also been noted impersonating IT staff of a targeted organization to manipulate employees into granting access.

Upon gaining entry, the group typically deploys ransomware and threatens to leak internal data unless a significant ransom, normally paid in cryptocurrency, is remitted.

Toby Lewis, head of threat analysis at Darktrace, describes Scattered Spider as a collection of associates in the US and UK, akin to an online community.

Lewis contrasts their approach with other hacker groups, emphasizing Scattered Spider’s tendency to specifically target known brands, allowing for more meticulous planning of their attacks.

Last November, the US government brought criminal charges against five individuals purportedly linked to the group, who targeted at least 12 companies across sectors like gaming, telecommunications, and cryptocurrency, according to American authorities.

Four of those charged were from the US, while one was based in Scotland.