M&S cyberattack related to hacking group Scattered Spider

A hacking group called Scattered Spider has been named in connection with the ongoing M&S cyberattack.

The hackers carried out a ransomware attack on M&S’s IT network, according to an unverified report from cybersecurity website Bleeping Computer.

Criminal gangs can typically demand for up to £10m to reinstate access, industry sources have indicated.

The report said the hacking group, which comprises young adults and teenagers operating in the UK and US, initially gained access to M&S’s systems back in February.

M&S has asked for help from Microsoft, CrowdStrike, and Fenix24 to look into and respond to the cyberattack, according to Bleeping Computer.

The hackers reportedly stole the food and fashion giant’s Windows domain’s NTDS.dit file in February, with the file serving as the main database used by Windows Active Directory to store domain information such as passwords, user accounts and security data.

Residing on domain controllers, the file can be used to extract credentials and compromise the whole network if accessed by hackers.

Speaking to Bleeping Computer, sources said that the hackers used the “DragonForce” encryptor on files, which locks victims’ data and systems, making them inaccessible until they pay a ransom in exchange for a decryption key.

Although it remains unclear whether M&S was or is being held at ransom, a ransom could be around £10m, sources told The Times.

The update comes as M&S has faced empty shelves across some stores as a result of the cyberattack, although it remains unclear how widespread the issue is.

On Monday, the retailer also instructed hundreds of its agency workers from its main distribution centre to stay at home as it dealt with the impacts of the attack.

Click here to sign up to Retail Gazette‘s free daily email newsletter