A coordinated wave of cyberattacks has struck major UK retailers in recent weeks, with the DragonForce ransomware group claiming responsibility for breaches at Marks & Spencer, Co-op, and luxury department store Harrods.
These attacks have caused significant operational disruptions and financial losses, marking one of the most substantial cyber campaigns against British retail in recent history.
This highlights the growing sophistication and reach of ransomware-as-a-service (RaaS) operations targeting high-profile commercial enterprises.
.png
)
Retail Giants Under Attack
SentinelOne reports that Marks & Spencer was the first victim, with attackers infiltrating their network as early as February 2025.
The attackers deployed the DragonForce encryptor against M&S’s VMware ESXi hosts, encrypting virtual machines supporting e-commerce and payment processing systems.
This led to a five-day suspension of online sales, resulting in estimated daily losses of £3.8 million and a market value drop exceeding £500 million.
The Co-op Group confirmed on May 2nd that hackers had accessed and extracted customer data, including names and contact information of Co-op members.
The company reassured customers that no passwords, bank details, or transaction records were compromised.
Internal communications revealed Co-op employees were instructed to keep cameras active during Teams meetings and verify participant identities, suggesting attackers had breached internal communication channels.
Harrods announced on May 1st that its systems had also been targeted, though the luxury retailer acted swiftly to contain the breach, limiting internet access at its locations as a precautionary measure. Operations at its Knightsbridge store and other outlets remained largely unaffected.
The DragonForce RaaS: Tactics, Techniques, and Encryption Methods
DragonForce emerged in August 2023 as a hacktivist operation from Malaysia but has evolved into a sophisticated Ransomware-as-a-Service (RaaS) operation.
The group’s ransomware uses strong encryption algorithms including AES-256 and RSA, with newer variants employing the ChaCha8 algorithm for faster encryption.
Initial access is typically gained through phishing emails, exploitation of vulnerabilities, or stolen credentials. Once inside a network, the attackers utilize tools like mimikatz, Advanced IP Scanner, and PingCastle to maintain persistence and elevate privileges.
The malware attempts to escalate access to SYSTEM-level by exploiting Access Token Manipulation, using DuplicateTokenEx() and CreateProcessWithTokenW() functions.
DragonForce ransomware supports multiple command-line options including “-paths” for file-system search mode, “-vmsvc” for ESXi discovery, and timing parameters for scheduled execution.
The group has been linked to exploiting several CVEs, including the notorious Log4Shell vulnerability (CVE-2021-44228).
Security experts have attributed some of the UK retail attacks to “Scattered Spider,” a loosely organized network of young, English-speaking hackers.
These operators leverage DragonForce’s infrastructure while paying the group a 20% cut of any ransoms collected.
In early 2025, DragonForce introduced a “white-label” service allowing affiliates to disguise attacks under different ransomware brands. This move positions DragonForce as a “Ransomware Cartel,” providing infrastructure and malware while affiliates conduct operations.
The UK’s National Cyber Security Centre has urged all retailers to strengthen their cybersecurity measures and advised consumers to monitor banking activities and update passwords.
As these attacks continue to unfold, they serve as a stark reminder of the evolving threat landscape and the critical importance of robust cybersecurity practices for all organizations, particularly those handling sensitive customer data.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
