IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Ransomware
#
Cybersecurity
#
Threat intelligence

Scattered Spider & DragonForce target UK retail in new attacks

Today
Author image
By Jed Nykolle Harme, Editor

Recent cyber attacks on UK retailers have been linked to methods typically attributed to the group known as Scattered Spider and the deployment of DragonForce ransomware, according to insights from a threat intelligence specialist.

Hannah Baumgaertner, Head of Research at Silobeaker, commented on the tactics seen in recent attacks and provided an overview of the threat landscape facing UK retailers.

"The recent attacks on UK retailers involved tactics typically associated with Scattered Spider activity, a loose network of English-speaking cybercriminals that have been responsible for several major data breaches, perhaps most notably against MGM Resorts in 2023," said Baumgaertner.

In a recent incident involving Marks & Spencer, Baumgaertner described how social engineering techniques were deployed to facilitate unauthorised access. "In the case of M&S, for example, the actors used social engineering to reset an employee's password, which was then used to breach the network and steal the Windows domain's NTDS.dit file containing password hashes for Windows accounts. The attackers then also moved on to encrypt VMware EXSi virtual machines," she explained.

"While Scattered Spider tactics have involved various ransomware strains, the recent attacks appear to have favoured the use of DragonForce ransomware, whose operators only recently announced an updated affiliate model. The latest model does not require affiliates to deploy its ransomware and includes features such as administration and client panels, encryption and ransomware negotiation tools, and more," she stated.

According to Baumgaertner, DragonForce ransomware's new affiliate programme has allowed greater flexibility in its deployment. She pointed out that its operators have been advertising these capabilities since at least early 2024. "DragonForce has been advertising its offering since at least early 2024, though has been actively targeting organisations since 2023, with its ransomware strain initially based off the leaked LockBit builder, before updating it with Conti-based code," Baumgaertner added.

The combination of social engineering, credential theft, and ransomware deployment signals a sophisticated approach targeting both individual credentials and core IT infrastructure within retail organisations.

Threat researchers and retail industry stakeholders continue to monitor the progress of both Scattered Spider and DragonForce operations, amid ongoing efforts to strengthen defences against cyber attacks targeting the retail sector in the United Kingdom.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
BioCatch appoints Andreas Dombret to aid global expansion
Ben Savage appointed CEO as Ekco eyes EUR €100 million goal
AI startups lead in Viva Technology list of Europe's top 100
Lenovo report reveals slow progress in Gen AI workplace shifts
Infosecurity Europe 2025 explores geopolitics & cyber threats
Top stories
HR-Bible unveils AI-driven HR tool to simplify business tasks
EU urges social media ad checks to tackle €4.3bn scam crisis
Echelon unveils EUR €3.5 billion Wicklow data centre projects
Free creative industry workshops announced for West Yorkshire
AVK appoints Sarah King to spearhead sustainability drive