Marks Spencer breach linked to Scattered Spider ransomware attack

pGoogle to pay 1375 billion to settle Texas data privacy violationsppiClicker site hack targeted students with malware via fake CAPTCHAppMicrosoft Teams will soon block screen capture during meetingsppLockBit ransomware gang hacked victim negotiations exposedppStop paying monthly and get a PDF editor for life in this dealppASUS DriverHub flaw let malicious sites run commands with admin rightsppWindows 11 upgrade block lifted after Safe Exam Browser fixppHackers now testing ClickFix attacks against Linux targetsppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppOngoing outages at British retail giant Marks Spencer are caused by a ransomware attack believed to be conducted by threat actors known as Scattered Spider BleepingComputer has learned from multiple sourcesppMarks Spencer MS is a British multinational retailer that employs 64000 employees and sells various products including clothing food and home goods in over 1400 stores worldwideppLast Tuesday MS confirmed it suffered a cyberattack that caused widespread disruption including to its contactless payment system and online ordering Today Sky News reported that the disruption continues with around 200 warehouse workers told to stay home as the company responds to the attackppBleepingComputer has now learned that the ongoing outages are caused by a ransomware attack that encrypted the companys serversppThe threat actors are believed to have first breached MS as early as February when they reportedly stole the Windows domains NTDSdit fileppAn NTDSdit file is the main database for Active Directory Services running on a Windows domain controller This file contains the password hashes for Windows accounts which can be extracted by threat actors and cracked offline to gain access to associated plaintext passwordsppUsing these credentials a threat actor can then laterally spread throughout the Windows domain while stealing data from network devices and serversppSources told BleepingComputer that the threat actors ultimately deployed the DragonForce encryptor to VMware ESXi hosts on April 24th to encrypt virtual machinesppBleepingComputer has learned that Marks and Spencer asked for help from CrowdStrike Microsoft and Fenix24 to investigate and respond to the attackppThe investigation so far indicates that hackers associated with tactics known as Scattered Spider or as Microsoft calls them Octo Tempest are behind the attackppWhen contacted with this information MS said that they could not go into details about the cyber incidentppDo you have information about this or another cyberattack If you want to share the information you can contact us securely and confidentially on Signal at LawrenceA11 via email at lawrenceabramsbleepingcomputercom or by using our tips formppScattered Spider also known as 0ktapus Starfraud UNC3944 Scatter Swine Octo Tempest and Muddled Libra is a classification of threat actors that are adept at using social engineering attacks phishing multifactor authentication MFA bombing targeted MFA fatigue and SIM swapping to gain initial network access on large organizationsppThese threat actors include young Englishspeaking people as young as 16 with diverse skill sets who frequent the same hacker forums Telegram channels and Discord servers These mediums are then used to plan and conduct attacks in real timeppSome are believed to be part of the Com a looseknit community involved in violent acts and cyber incidents that have gained wide media attentionppWhile the media and researchers commonly refer to Scattered Spider as a cohesive gang it is actually used to denote threat actors who utilize certain tactics when conducting attacks As attacks associated with Scattered Spider tactics are commonly conducted by different individuals from a loose network of threat actors it makes it difficult to track themppThe threat actors initially started in financial fraud and social media hacks but later advanced to extremely sophisticated social engineering attacks to steal cryptocurrency from individuals or breach corporations in extortion attacksppScatted Spider escalated its attacks in September 2023 when they breached MGM Resorts utilizing a social engineering attack impersonating an employee when calling the companys IT help desk In this attack the threat actors deployed the BlackCat ransomware to encrypt more than 100 VMware ESXi hypervisorsppThis was a pivotal moment in the ransomware landscape as it was the first known indication that Englishspeaking threat actors were working with Russianspeaking ransomware gangsppSince then threat actors classified as Scattered Spider have been known to act as affiliates for various ransomware operations including RansomHub Qilin and now DragonForceppDragonForce is a ransomware operation that launched in December 2023 and has recently begun promoting a new service where they allow cybercrime teams to whitelabel their servicesppResearchers commonly associate attacks with Scattered Spider based on specific indicators of compromise including credentialstealing phishing attacks targeting SSO platforms SIM swaps social engineering attacks impersonating IT help desktop and other tacticsppCybersecurity firm Silent Push released a report earlier this month outlining Scattered Spiders most recent phishing attacksppOver the past two years law enforcement has been increasingly targeting these threat actors arresting people in the US the United Kingdom and SpainppUpdate 42925 Updated story to make it clearer that Scattered Spider is not a specific group of individualsppBased on an analysis of 14M malicious actions discover the top 10 MITRE ATTCK techniques behind 93 of attacks and how to defend against themppCoop confirms data theft after DragonForce ransomware claims attackppMarks Spencer pauses online orders after cyberattackppMarks Spencer confirms a cyberattack as customers face delayed ordersppUK shares security tips after major retail cyberattacksppUK NCSC Cyberattacks impacting UK retailers are a wakeup callppNot a member yet Register NowppMicrosoft Teams will soon block screen capture during meetingsppFake AI video generators drop new Noodlophile infostealer malwareppiClicker site hack targeted students with malware via fake CAPTCHAppHow to tell if your organizations credentials have been involved in a breachppView your organizations attack surface digital frauds at no cost Register now for CTM360s Community EditionppOverdue a password healthcheck Audit your Active Directory for freeppMajority of browser extensions pose critical security risk learn how to control itppLearn why identity attacks were the 1 threat facing organizations in 2024ppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp