Cluster Bombing Ransomware: UK Retailers Fall Victim
5–5–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, May 5, 2025, and I’m not going to talk about the Signal knockoff that US Government officials have been spotted using - or the hardcoded keys that allowed those messages to be exposed. You should still read an article or two about it, though.
What we are going to talk about is the cluster of attacks befalling UK retailers, because it should be a cautionary tale for all of us.
Cluster Bombing Ransomware: UK Retailers Fall Victim
Starting with an attack two weeks ago on UK retailer Marks & Spencer, a new group calling themselves DragonForce has now claimed credit for attacks on M&S, as well as storied retailer Harrods, as well as Coop - the latter of whom are looking at an exposure of more than 20m customer records.
SentinelOne has a good profile on the group, noting their pivot from hacktivism to straight extortion, and preference for phishing, then using known vulnerabilities or exposed credentials to launch their attacks.
Security researcher Kevin Beaumont has a good write-up on the happenings around Marks & Spencer, which follows on reporting noting that while they escalated the issue internally very quickly (at midnight, to the CEO), they also had no plan for a ransomware attack and reports claim their staff are using WhatsApp to communicate (as corporate comms are down) and sleeping on the floor in the office as they struggle to regain control.
The scope and scale of the attacks has prompted a blog post with warnings from the UK’s National Cyber Security Centre, authored by the NCSC’s National Resilience Director, Jonathon Ellison, and Chief Technology Officer, Ollie Whitehouse.
As usual, their advice is sound, and worth sharing, imploring retailers to:
Ensure 2-step verification (multi-factor authentication) is deployed comprehensively;
Enhance monitoring against account misuse; e.g. ‘risky logins’ within Microsoft Entra ID Protection, especially where the detection type is 'Microsoft Entra Threat intelligence'
Pay specific attention to Domain Admin, Enterprise Admin, Cloud Admin accounts;
Review helpdesk password reset processes, including how the helpdesk authenticates staff members credentials before resetting passwords, especially those with escalated privileges;
Ensure your security operation centres can identify logins from atypical sources such as VPN services in residential ranges; and
ensure that you have the ability to consume techniques, tactics and procedures sourced from threat intelligence rapidly whilst being able to respond accordingly.
Doing this work up front, having a plan that includes written response playbooks and validated backups, and testing these things are critical.
It’s not glamorous work, but it’s work you’ll be glad you did should you find yourself in the position these retailers are in.
Additionally, these clustered attacks are going to become more and more common, as threat actors seek to maximize monetization opportunities - the thinking being that if initial victims share TTPs, others can prepare a stronger defense. That’s true, and we should share TTPs, but it also means TAs are going to focus on velocity - and adjacencies - like this set of retail attacks.
Fundraising
From a fundraising perspective, a decent week, with nearly $13B in newly committed capital, led by Apollo - who raised $5.4b for their first PE secondaries fund (a theme we’ve continued to see here in 2025).
No major FT or WSJ headlines to speak of this week, which is just as well, since there are plenty of other market dynamics to be monitoring.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/
https://www.securityweek.com/ransomware-group-claims-attacks-on-uk-retailers/
https://doublepulsar.com/big-game-ransomware-the-myths-experts-tell-board-members-03d5e1d1c4b7
https://www.thetimes.com/business-money/companies/article/m-and-s-cyber-attack-ms-klrnxvwq6