British retail giant Marks & Spencer is currently grappling with significant operational disruptions due to a ransomware attack. The attack is attributed to a notorious hacking group known as Scattered Spider. This incident has led to widespread outages, affecting the company's payment systems and online services.

Details of the Cyberattack

Marks & Spencer, a multinational retailer with over 64,000 employees and more than 1,400 stores worldwide, confirmed the cyberattack last Tuesday. The attack has severely impacted their contactless payment systems and online ordering capabilities. As a result, approximately 200 warehouse employees have been instructed to stay home as the company addresses the situation.

Technical Aspects of the Breach

The attack, which encrypted the company's servers, is believed to have started as early as February. During this time, the attackers reportedly accessed the Windows domain's NTDS.dit file. This file is crucial as it contains password hashes for Windows accounts, which can be exploited to gain unauthorized access.

  • NTDS.dit File: Main database for Active Directory Services, containing password hashes.
  • Lateral Movement: Attackers used stolen credentials to move across the network, extracting data from servers.

On April 24th, the attackers deployed the DragonForce decryptor to encrypt virtual machines on VMware ESXi hosts. Marks & Spencer has enlisted the help of cybersecurity firms CrowdStrike, Microsoft, and Fenix24 to investigate and mitigate the attack.

About Scattered Spider

Scattered Spider, also known by various aliases such as Octo Tempest and 0ktapus, is a group known for sophisticated social engineering attacks. They employ techniques like phishing, multi-factor authentication (MFA) bombing, and SIM swapping to infiltrate large organizations.

Group Characteristics and Activities

The group consists of young, English-speaking members who collaborate on hacker forums and communication platforms like Telegram and Discord. They initially engaged in financial fraud and social media hacks but have since advanced to more complex attacks targeting corporations for extortion.

  • Social Engineering: Utilizes impersonation and phishing to breach systems.
  • Ransomware Deployment: Known for deploying ransomware like BlackCat and DragonForce.

Scattered Spider's attacks gained notoriety in September 2023 when they breached MGM Resorts using a social engineering tactic. This marked a significant shift in the ransomware landscape, highlighting collaboration between English-speaking and Russian-speaking cybercriminals.

The link has been copied!