Publish date: 01.05.25

You’ve seen it in the news that within the last few days, M&S have become the latest high-profile victim of a coordinated ransomware campaign—an attack that didn’t just cripple systems, but exposed critical weaknesses in third-party integrations and internal infrastructure. The attack has wiped millions off their market value, and sent a resounding wake-up call to businesses across the UK.

The incident marks a significant escalation in the targeting of retail businesses, supply chains and corporate networks and has spotlighted an ever-evolving threat: ransomware. As the digital arms race escalates with the introduction of AI threats, ransomware protection has shifted from a technical concern to a business imperative.

The Attack: What Happened?

While full details of the M&S cyber attack is still unfolding, early reports suggest sophisticated hacker collective called Scattered Spider exploited vulnerabilities in third-party systems and internal infrastructure. Also called UNC3944, Octo Tempest or Muddled Libra, Scattered Spider is reportedly known for employing advanced social engineering tactics, including phishing and multi-factor authentication (MFA) fatigue attacks, to infiltrate large organisations.

According to tech news outlet BleepingComputer, the group was suspected of breaching M&S systems as early as February 2025, allegedly stealing the Windows domain’s NTDS.dit file—a sensitive database containing user credentials. They are also believed to have used ransomware to encrypt parts of M&S’s infrastructure.

BleepingComputer reported that DragonForce ransomware was deployed to VMware ESXi hosts on April 24 to encrypt virtual machines. The group reportedly gained access to M&S systems and remained undetected for weeks.

The breach has led to severe service and operational disruptions, and the potential for the compromise of sensitive customer and employee data. Although M&S has acted swiftly to contain and limit the damage, the on-going fallout illustrates just how destructive and costly ransomware attacks can be—not only financially, but also in terms of long term brand trust and regulatory consequences.

Why Ransomware Is a Top Threat

Ransomware involves malicious software that encrypts a victim’s data, effectively locking users out of their own systems. Attackers then demand payment—often in cryptocurrency—in exchange for restoring access. In some cases, they also threaten to leak stolen data publicly, adding a second layer of extortion.

This threat has grown in scale and sophistication in recent years. No longer confined to lone hackers, today’s ransomware is often the work of highly organised groups operating like businesses, complete with customer support lines and profit-sharing models.

Retailers are especially vulnerable. They manage massive amounts of personal data, rely on real-time logistics, and depend on interconnected IT systems—making them prime targets for disruption.

The Cost of Complacency

The immediate costs of ransomware include downtime, lost revenue, legal fees, and the potential ransom payments themselves. But the long-term consequences can be even more damaging. Customer trust erodes quickly when personal data is compromised, and services remain unavailable. Regulatory penalties under laws like GDPR can be severe. And reputational harm can impact stock prices, market value and brand loyalty for years.

The attack on M&S makes it clear that even the most established household names in the UK are not immune. In fact, their prominence may make them more attractive targets.

Key steps you can take today to strengthen ransomware protection

1. Invest in Cyber Hygiene
Ensure all systems are regularly updated, and patch known vulnerabilities swiftly. Many ransomware attacks exploit unpatched software.

2. Employee Training
Human error remains a top attack vector. Regular training on phishing and suspicious behaviour can dramatically reduce risk.

3. Backup and Recovery Plans
Regularly back up data—ideally with off-site and offline copies—and test restoration processes. A robust backup can eliminate the need to pay a ransom.

4. Zero Trust as Standard
Limit access across networks and enforce strict authentication protocols. Assume that internal systems can be breached and segment networks accordingly.

5. Incident Response Plans
Have a clear, tested plan in place for responding to cyber attacks. The first hours of a breach are critical in limiting its impact.

6. Third-Party Risk Management
Many attacks originate through external vendors or partners. Audit and secure all points of integration.

Assume Breach, Engineer for Resilience with Xeretec

The M&S incident should not be viewed as an anomaly—it’s a preview of ransomware campaigns to come. Defending against them requires a strategic partnership that combines advanced tooling with proven deployment expertise.

Ransomware gangs continue to evolve in both sophistication and scale and business defences must evolve faster. Cybersecurity is no longer just about securing endpoints—it’s about securing trust, continuity, and the very architecture of modern business.

Contact us today for a ransomware readiness assessment and see how our solutions can integrate seamlessly into your existing cyber infrastructure.

We can help deliver end-to-end ransomware protection, including:

  • Real-time threat detection and response,
  • Immutable backup and disaster recovery,
  • Email and endpoint security with AI-driven threat intelligence,
  • Zero-trust access controls and secure SD-WAN for remote sites.

Let us help you harden your environment before attackers find the gaps. Get in touch now.