{ "id": "9ef06111-40bf-4078-98c0-5245fc9f7de4", "created_at": "2026-04-06T00:17:23.453085Z", "updated_at": "2026-04-10T03:31:49.85794Z", "deleted_at": null, "sha1_hash": "26a46f23ff3d8f7e333cd255812a6c22a9380616", "title": "Marks \u0026 Spencer breach linked to Scattered Spider ransomware attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3580705, "plain_text": "Marks \u0026 Spencer breach linked to Scattered Spider ransomware attack\r\nBy Lawrence Abrams\r\nPublished: 2025-04-28 · Archived: 2026-04-05 23:09:42 UTC\r\nOngoing outages at British retail giant Marks \u0026 Spencer are caused by a ransomware attack believed to be conducted by\r\nthreat actors known as \"Scattered Spider\" BleepingComputer has learned from multiple sources.\r\nMarks \u0026 Spencer (M\u0026S) is a British multinational retailer that employs 64,000 employees and sells various products,\r\nincluding clothing, food, and home goods in over 1,400 stores worldwide.\r\nLast Tuesday, M\u0026S confirmed it suffered a cyberattack that caused widespread disruption, including to its contactless\r\npayment system and online ordering. Today, Sky News reported that the disruption continues, with around 200 warehouse\r\nworkers told to stay home as the company responds to the attack.\r\nhttps://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nBleepingComputer has now learned that the ongoing outages are caused by a ransomware attack that encrypted the\r\ncompany's servers.\r\nThe threat actors are believed to have first breached M\u0026S as early as February, when they reportedly stole the Windows\r\ndomain's NTDS.dit file.\r\nAn NTDS.dit file is the main database for Active Directory Services running on a Windows domain controller. This file\r\ncontains the password hashes for Windows accounts, which can be extracted by threat actors and cracked offline to gain\r\naccess to associated plain-text passwords.\r\nUsing these credentials, a threat actor can then laterally spread throughout the Windows domain, while stealing data from\r\nnetwork devices and servers.\r\nSources told BleepingComputer that the threat actors ultimately deployed the DragonForce encryptor to VMware ESXi\r\nhosts on April 24th to encrypt virtual machines.\r\nBleepingComputer has learned that Marks and Spencer asked for help from CrowdStrike, Microsoft, and Fenix24\r\nto investigate and respond to the attack.\r\nThe investigation so far indicates that hackers associated with tactics known as Scattered Spider, or as Microsoft calls them,\r\nOcto Tempest, are behind the attack.\r\nWhen contacted with this information, M\u0026S said that they could not go into details about the cyber incident.\r\nDo you have information about this or another cyberattack? If you want to share the information, you can contact us\r\nsecurely and confidentially on Signal at LawrenceA.11, via email at lawrence.abrams@bleepingcomputer.com, or by using\r\nour tips form.\r\nWho is Scattered Spider?\r\nScattered Spider, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, is a\r\nclassification of threat actors that are adept at using social engineering attacks, phishing, multi-factor authentication (MFA)\r\nbombing (targeted MFA fatigue), and SIM swapping to gain initial network access on large organizations.\r\nThese threat actors include young English-speaking people (as young as 16) with diverse skill sets who frequent the same\r\nhacker forums, Telegram channels, and Discord servers. These mediums are then used to plan and conduct attacks in real\r\ntime.\r\nSome are believed to be part of the \"Com\" - a loose-knit community involved in violent acts and cyber incidents that have\r\ngained wide media attention.\r\nWhile the media and researchers commonly refer to Scattered Spider as a cohesive gang, it is actually used to denote threat\r\nactors who utilize certain tactics when conducting attacks. As attacks associated with Scattered Spider tactics are commonly\r\nconducted by different individuals from a loose network of threat actors, it makes it difficult to track them.\r\nThe threat actors initially started in financial fraud and social media hacks but later advanced to extremely sophisticated\r\nsocial engineering attacks to steal cryptocurrency from individuals or breach corporations in extortion attacks.\r\nScatted Spider escalated its attacks in September 2023 when they breached MGM Resorts utilizing a social engineering\r\nattack impersonating an employee when calling the company's IT help desk. In this attack, the threat actors deployed the\r\nBlackCat ransomware to encrypt more than 100 VMware ESXi hypervisors.\r\nThis was a pivotal moment in the ransomware landscape as it was the first known indication that English-speaking threat\r\nactors were working with Russian-speaking ransomware gangs.\r\nSince then, threat actors classified as Scattered Spider have been known to act as affiliates for various ransomware\r\noperations, including RansomHub, Qilin, and now, DragonForce.\r\nhttps://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/\r\nPage 3 of 4\n\nDragonForce is a ransomware operation that launched in December 2023 and has recently begun promoting a new service\r\nwhere they allow cybercrime teams to white-label their services.\r\nResearchers commonly associate attacks with Scattered Spider based on specific indicators of compromise, including\r\ncredential-stealing phishing attacks targeting SSO platforms, SIM swaps, social engineering attacks impersonating IT help\r\ndesktop, and other tactics.\r\nCybersecurity firm Silent Push released a report earlier this month outlining Scattered Spider's most recent phishing attacks.\r\nOver the past two years, law enforcement has been increasingly targeting these threat actors, arresting people in the US, the\r\nUnited Kingdom, and Spain.\r\nUpdate 4/29/25: Updated story to make it clearer that Scattered Spider is not a specific group of individuals.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/\r\nhttps://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/" ], "report_names": [ "marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434643, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/26a46f23ff3d8f7e333cd255812a6c22a9380616.pdf", "text": "https://archive.orkl.eu/26a46f23ff3d8f7e333cd255812a6c22a9380616.txt", "img": "https://archive.orkl.eu/26a46f23ff3d8f7e333cd255812a6c22a9380616.jpg" } }