The Big Picture

In April 2025, UK retailers Marks & Spencer (M&S), Harrods, and Co-op were hit by a major ransomware attack, reportedly carried out by DragonForce, a ransomware-as-a-service (RaaS) group. The attack disrupted operations, caused financial losses, and exposed sensitive customer data—a wake-up call for businesses everywhere. Is it time to think about more regulation with retailers.

How the Hackers Pulled It Off

Breaking In

  • Hackers stole hashed credentials from Windows Active Directory (NTDS.dit file) and cracked them offline months prior to he lay few weeks disruption
  • Phishing & MFA fatigue attacks tricked employees into handing over access.
    • SIM swapping helped bypass multi-factor authentication (MFA).

Spreading Through the System

  • Mimikatz was used to extract plaintext passwords.
  • Advanced IP Scanner mapped out networks to find high-value targets.
  • Security monitoring tools were disabled to avoid detection.

Deploying the Ransomware

  • DragonForce ransomware was executed on VMware ESXi servers, encrypting virtual machines.
  • M&S lost £700 million in market value, supply chains stalled, and online orders were halted.
  • Harrods restricted internet access, while Co-op shut down IT systems, affecting customer data and operations.

Holding Data Hostage

  • 20 million Co-op customer records stolen, including credentials and payment data.

  • Hackers threatened to leak sensitive data unless ransom demands were met.

Cybersecurity Callouts & UK National Security Response

  • Zero-trust architecture: Stop hackers from moving freely inside networks.

  • AI-driven cybersecurity: Keep up with evolving ransomware tactics.

  • Continuous monitoring & MFA enforcement: Spot threats before they escalate.

  • Employee training: Prevent phishing and social engineering attacks.

  • Board-level cybersecurity investment: Treat digital infrastructure like critical infrastructure.

What This Means for Big Business

  • Supplier Risk Management Needs to Be a Priority

    • Third-party vendors (e.g., payment processors, logistics firms) are often the weakest link.

    • Businesses must audit external partners, enforce contractual security requirements, and monitor supplier networks in real time.

  • Internal Security Must Match External Threats

    • Cyberattacks are inevitable, not just a possibility.
    • Endpoint security, threat intelligence, and rapid response planning must be built into corporate risk frameworks.

Further Reading & Expert Insights