Ongoing outages at British retail large Marks & Spencer are brought on by a ransomware assault believed to be performed by a hacking collective referred to as “Scattered Spider” BleepingComputer has discovered from a number of sources.
Marks & Spencer (M&S) is a British multinational retailer that employs 64,000 workers and sells numerous merchandise, together with clothes, meals, and residential items in over 1,400 shops worldwide.
Final Tuesday, M&S confirmed it suffered a cyberattack that precipitated widespread disruption, together with to its contactless fee system and on-line ordering. Immediately, Sky Information reported that the disruption continues, with round 200 warehouse staff instructed to remain house as the corporate responds to the assault.
BleepingComputer has now discovered that the continued outages are brought on by a ransomware assault that encrypted the corporate’s servers.
The menace actors are believed to have first breached M&S as early as February, after they reportedly stole the Home windows area’s NTDS.dit file.
An NTDS.dit file is the principle database for Lively Listing Providers operating on a Home windows area controller. This file accommodates the password hashes for Home windows accounts, which could be extracted by menace actors and cracked offline to achieve entry to related plain-text passwords.
Utilizing these credentials, a menace actor can then laterally unfold all through the Home windows area, whereas stealing knowledge from community gadgets and servers.
Sources instructed BleepingComputer that the menace actors in the end deployed the DragonForce encryptor to VMware ESXi hosts on April twenty fourth to encrypt digital machines.
BleepingComputer has discovered that Marks and Spencer requested for assist from CrowdStrike, Microsoft, and Fenix24 to examine and reply to the assault.
The investigation to this point signifies that the hacking collective referred to as Scattered Spider, or as Microsoft calls them, Octo Tempest, is behind the assault.
When contacted with this info, M&S stated that they may not go into particulars concerning the cyber incident.
Do you’ve got details about this or one other cyberattack? If you wish to share the knowledge, you may contact us securely and confidentially on Sign at LawrenceA.11, through e mail at lawrence.abrams@bleepingcomputer.com, or through the use of our ideas type.
Who’s Scattered Spider?
Scattered Spider, also called 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Librais a bunch of menace actors which can be adept at utilizing social engineering assaults, phishing, multi-factor authentication (MFA) bombing (focused MFA fatigue), and SIM swapping to achieve preliminary community entry on massive organizations.
The group contains younger English-speaking members (as younger as 16) with numerous talent units who frequent the identical hacker boards, Telegram channels, and Discord servers. These mediums are then used to plan and conduct assaults in actual time.
Some members are believed to be a part of the “Comm” – a loose-knit neighborhood concerned in violent acts and cyber incidents which have gained huge media consideration.
Whereas the media and researchers generally discuss with Scattered Spider as a cohesive gang, they’re truly a community of people, with completely different menace actors taking part in every assault. This fluid construction is what makes it tough to trace them.
The group initially began in monetary fraud and social media hacks however later superior to extraordinarily refined social engineering assaults to steal cryptocurrency from people or breach companies in extortion assaults.
The group escalated its assaults in September 2023 after they breached MGM Resorts using a social engineering assault impersonating an worker when calling the corporate’s IT assist desk. On this assault, the menace actors deployed the BlackCat ransomware to encrypt greater than 100 VMware ESXi hypervisors.
This was a pivotal second within the ransomware panorama because it was the primary identified indication that English-speaking menace actors have been working with Russian-speaking ransomware gangs.
Since then, Scattered Spider has been identified to behave as associates for RansomHubQilin, and now DragonForce.
DragonForce is a ransomware operation that launched in December 2023, and has just lately begun selling a brand new service the place they permit cybercrime groups to white-label their providers.
Researchers generally affiliate assaults with the Scattered Spider group primarily based on particular indicators of compromise, together with credential-stealing phishing assaults concentrating on SSO platforms, social engineering assaults impersonating IT assist desktop, and different ways.
Cybersecurity agency Silent Push launched a report earlier this month outlining Scattered Spider’s most up-to-date phishing assaults.
Over the previous two years, legislation enforcement has been more and more concentrating on the group, arresting a number of alleged members within the US, the UK, and Spain.
