DragonForce Ransomware Hits Marks & Spencer: What We Know So Far

On May 14, 2025, UK retailer Marks & Spencer (M&S) was reportedly targeted in a ransomware attack claimed by the DragonForce group. The group posted on its darknet leak site that it had exfiltrated hundreds of gigabytes of internal data, including customer records, financial documents, internal communications, and possibly payment-related data. As of now, M&S has not confirmed the scope of the breach publicly, but investigations are ongoing.

DragonForce issued a public threat to leak the stolen data if M&S refuses to pay the demanded ransom. Screenshots posted as proof-of-compromise show filenames referencing HR reports, store performance analytics, and corporate financials.

The attack has not yet impacted store operations or the M&S website, but internal systems and backend services may have experienced temporary disruptions, according to insider sources.

What We Know About the DragonForce Ransomware Campaign

Who Is DragonForce?

DragonForce is a relatively new ransomware group that emerged in late 2024, and it has quickly gained notoriety for targeting Western commercial enterprises. It appears to operate a double extortion model—stealing sensitive data and encrypting systems, then threatening public exposure if the ransom isn’t paid.

The group shares some TTPs (tactics, techniques, procedures) with earlier ransomware outfits like LockBit and AlphV, including:

• Living-off-the-land (LOTL) techniques for stealthy lateral movement.
• Use of Cobalt Strike, Mimikatz, and PowerShell for credential harvesting and privilege escalation.
• Deployment of custom encryptors with AES-256 encryption and multithreaded operations for speed.
• Targeting of backups and shadow copies to prevent recovery.
  

The group hosts leaks via a Tor-based extortion site, using countdown timers and victim logos to pressure organizations.

What Kind of Data Was Stolen?

Based on leak site listings and samples:

• Employee and HR records: possibly containing PII and payroll data.
• Customer details: including names, loyalty program IDs, and partial contact information.
• Financial documents: quarterly reports, internal forecasts, and strategy presentations.
• Email inboxes and files from senior management.
  

No evidence has yet confirmed whether payment card data or full customer PII (like national insurance numbers or full addresses) were compromised—but the impact could widen if more data is leaked.

How Did They Gain Access?

Although M&S hasn’t disclosed the initial attack vector, similar campaigns from DragonForce have used:

• Phishing emails with weaponized Microsoft Word documents containing embedded macros or remote template injections.
• Exploitation of unpatched vulnerabilities, especially in VPN appliances, firewalls (e.g., Fortinet, SonicWall), and on-prem Exchange servers.
• Compromised credentials obtained from previous data breaches or infostealer logs.
  

Once inside, the threat actors likely leveraged Active Directory enumeration and lateral movement to access critical systems.

Mitigation and Response

M&S has reportedly engaged a leading incident response provider and is working with UK law enforcement and data protection regulators, including the Information Commissioner’s Office (ICO).

Immediate actions organizations can take:

• Check IoCs (Indicators of Compromise) published in similar DragonForce incidents.
• Review logs for unauthorized PowerShell or RDP activity.
• Ensure EDR/XDR tooling is detecting lateral movement and privilege escalation behavior.
• Apply multi-factor authentication across all privileged accounts.
• Backup critical data offline or out-of-band to isolate from ransomware encryption attempts.
  

For organizations in retail, supply chain, or e-commerce, it’s critical to harden identity infrastructure, monitor for credential misuse, and segment critical systems.

Broader Context

DragonForce has previously claimed attacks on European logistics firms, manufacturing organizations, and financial service providers. The retail sector is increasingly a target due to:

• High volumes of personal and payment data.
• Complex supply chain interdependencies.
• Often under-resourced cybersecurity postures in POS and legacy systems.
  

This attack on M&S follows recent similar breaches in the UK retail sector, suggesting a wider campaign focused on British businesses, potentially for geopolitical or economic disruption motives.

Ongoing Investigation

• No official ransom amount disclosed yet.
• UK’s National Cyber Security Centre (NCSC) is believed to be monitoring the incident.
• As of May 15, no large data dump has been publicly released, indicating ongoing negotiations—or strategic delay by the attackers.
  

Conclusion

The DragonForce ransomware attack on Marks & Spencer is a sharp reminder that even established enterprises with mature security programs can be vulnerable to sophisticated extortion campaigns. While operational impact appears limited for now, the data exposure risk remains high. Retail organizations should prioritize threat hunting, patch hygiene, identity protection, and ransomware response tabletop exercises.