���ϳԹ���

The world of retail was recently shaken by a series of sophisticated cyber attacks targeting major UK brands. In a compelling cyber fluency call, Max Vetter, fresh from discussing the incidents on Sky News, peeled back the layers of these attacks, offering a sobering look into the evolving tactics of cybercriminals. This deep dive explored the attacks on giants like Marks & Spencer, Co-op, and Harrods, revealing the intricate workings of ransomware groups and the critical human element they exploit.

The Targets: Household Names Under Siege

The attacks struck at the heart of British retail, impacting organizations that are not just businesses but institutions:

• Marks & Spencer (M&S): A quintessential British retailer, the 9th largest supermarket chain in the UK with approximately £13 billion in revenue and 64,000 employees. As Max put it, "You think of M&S, you think of the UK... it's in our DNA."
• Co-op: The 7th largest supermarket, notably a cooperative owned by its employees. Beyond retail, Co-op handles legal services, funeral services, and critically, holds millions of members' data due to its cooperative structure.
• Harrods: The iconic luxury department store, a smaller entity compared to the others but a globally recognized brand, also fell victim to the same attack vectors.

A Timeline of Disruption

The cyber offensive unfolded with alarming speed:

• April 19th: The first signs of trouble emerged at M&S with issues affecting contactless payments.
• April 21st (Easter Monday): M&S acknowledged a "cyber incident." Initially downplayed, the situation escalated.
• Subsequent Days: M&S was forced to suspend all online transactions. Their share price took a significant hit. The group "Scatter Spider" was identified as being involved.
• Next, Co-op: The cooperative was impacted, leading to the shutdown of some IT systems.
• May 1st: The situation at Co-op intensified. Staff were reportedly told to turn off VPNs and enable cameras in meetings due to fears that cybercriminals might be impersonating colleagues internally. Communications were allegedly being monitored. On the same day, Harrods also began shutting down systems.
• NCSC Involvement: The UK's National Cyber Security Centre (NCSC) stepped in to provide assistance, though public statements remained somewhat vague, reiterating the severity of cyber attacks and advising against paying ransoms – advice Max noted isn't always straightforward for businesses under immense pressure.

The Perpetrators: A Two-Tiered Threat

Max shed light on the sophisticated structure of the attackers:

1. DragonForce – The "Ransomware Cartel": This group operates a "Ransomware-as-a-Service (RaaS)" model, but with a twist. In February, they launched what they termed a "Ransomware Cartel." This service goes beyond just providing malware; they offer administration, infrastructure, 24/7 monitored servers, and even allow affiliates to white-label their brand. Typically, RaaS providers take a 20% cut of any ransom paid, though it's unclear if DragonForce charges more for their premium services.
   In a bold move, DragonForce directly contacted the BBC, providing them with Co-op customer data (allegedly 20 million records) to counter Co-op's initial claims that no customer data had been breached. This maneuver highlights a disturbing trend of attackers managing their own PR and directly challenging victims' narratives.
2. Scattered Spider – The Affiliates & Social Engineers: This "loose group of individuals" are the affiliates who use the malware provided by groups like DragonForce. Scatter Spider specializes in social engineering campaigns (MITRE ATT&CK technique T1566). In these attacks, they impersonated IT administrators, phoning employees of M&S, Co-op, and Harrods. Being English-speaking gave them a crucial advantage in targeting UK companies. Their tactic was to trick employees into resetting passwords or visiting cloned websites, thereby bypassing security measures like two-factor authentication to gain network access. Once inside, they would remain for some time, exfiltrating data before deploying the ransomware. Notably, some individuals linked to Scatter Spider were charged in the US and UK in November, with one extradited from the UK to the US.

The Impact: Beyond Financial Loss

The repercussions of these attacks were far-reaching:

• M&S: Faced an estimated £30 million per week in lost profits and saw a £1 billion (12%) drop in its share price.
• Co-op: Suffered a breach of approximately 20 million customer usernames and passwords (or password hashes), leading to significant reputational damage and intense public scrutiny, especially after DragonForce's direct communication with the media.
• Harrods: While claiming their "seasoned IT security team immediately took proactive steps," simply restricting internet access, as Max pointed out, isn't a silver bullet when attackers with persistence are already embedded in the network.

Max did commend M&S for aspects of their communication, noting they "kept calm, they did reassure customers...there wasn't no corporate spin, and they didn't give too much information either," which is crucial during an active investigation.

A Glimpse into the Underbelly: Ransomware.live

Max then provided a live demonstration of ransomware.live, a website (not a "dodgy" one, he assured) that aggregates information about ransomware groups and their victims. The site paints a stark picture: 3,000 victims this year alone, 193 in the current month (May 2025).

He highlighted a fascinating, redacted negotiation chat from the site involving (presumably) DragonForce:

• Initial Demand: The attackers demanded $4 million.
• Victim's Plea: The victim, represented by an incident response negotiator, claimed they could only afford $50,000 and had even filed for bankruptcy, pointing the attackers to their public financials.
• Negotiation: The ransom was eventually negotiated down to $100,000.
• The "Service": Beyond data decryption and removal, the attackers offered a report detailing how they breached the victim's systems. This report included astoundingly basic security advice:

• Employees shouldn't open suspicious emails.
• Use strong passwords.
• Employ two-factor authentication.
• Use the latest operating systems.
• Update software versions.

The victim, paranoid about re-entry, pressed for details on the specific VPN account used. The attackers claimed not to have that information anymore, reassuring the victim that changing all VPN credentials would suffice. "It's very strange that they're offering all these cybersecurity advice to the victim after they've been a victim of that," Max mused.

This "professionalism" extends to "triple extortion":

1. Ransoming locked computers.
2. Ransoming stolen data (threatening to leak it).
3. Ransoming data related to third parties and customers, threatening to sell or expose it unless a further ransom is paid.

Key Questions & Learnings

The Q&A session raised important points:

• Cyber Insurance: While insurers have tried to invoke "act of war" clauses to avoid payouts for state-sponsored attacks, social engineering incidents are generally covered unless specific exclusions exist. However, the industry is constantly evolving.
• GDPR & ICO Fines: The Information Commissioner's Office (ICO) in the UK is undoubtedly watching. M&S reported the incident within the mandatory 72-hour window, potentially mitigating fines for late reporting. However, the sheer scale of the Co-op data breach (20 million records) could attract severe penalties – up to 4% of global turnover. The fact that attackers proved the breach to the BBC strengthens the ICO's case. Companies can get "discounts" on fines for playing by the rules and demonstrating proactive remediation efforts.
• Data Corruption: It's currently unknown if data was corrupted in these specific incidents. Often, leaked data from such breaches becomes publicly available on dark web sites.

Moving Forward: Vigilance and Preparation

Max concluded by relating these real-world incidents to the importance of crisis simulations and training for IT professionals – the very people impersonated in these attacks.

The key takeaway is stark: cybercriminals are increasingly sophisticated, organized, and brazen. They exploit not just technical vulnerabilities but also human trust through social engineering. For businesses, the lessons are clear: robust technical defenses must be coupled with continuous employee training, well-rehearsed incident response plans, and a clear understanding of the evolving threat landscape. As Max emphasized, while law enforcement advises against paying ransoms, the reality for businesses fighting for survival is often more complex. The fight against these "professional" adversaries requires unwavering vigilance and proactive defense.

‍