Ransomware Attacks Target UK Retailers: M&S, Co-op, and Harrods Hit in April-May 2025

In late April and early May 2025, a series of ransomware attacks struck some of the UK’s largest retailers—Marks & Spencer (M&S), Co-op, and Harrods. These cyberattacks caused major disruptions, led to significant data theft, and incurred substantial financial losses. This blog explores the timeline of these attacks, the hacker groups behind them, and what they mean for the retail industry and consumers.

Timeline of Major Ransomware Attacks on UK Retailers

Marks & Spencer (M&S) Attack:

The first major attack targeted M&S, attributed to the Scattered Spider hacking group. The attack began in February 2025, with hackers deploying a ransomware payload called DragonForce. They stole sensitive domain data before encrypting key systems, forcing M&S to suspend its online sales for five days. The incident caused an estimated £3.8 million in daily losses, and M&S’s stock value plummeted by over £700 million.

Co-op Breach:

Following M&S, Co-op confirmed a breach by the DragonForce group. Hackers claimed to have stolen personal data from 20 million Co-op members. While the breach affected back-office systems and call center services, sensitive information like passwords and financial data remained secure. Co-op responded quickly, rebuilding its Windows domain controllers and tightening its security protocols.

Harrods Incident:

Luxury retailer Harrods also fell victim to cyberattacks. Although their physical stores and website remained unaffected, Harrods detected attempted intrusions into its systems. The company promptly enhanced its security measures and continues to monitor for any further threats, though no customer action was required.

Who Are the Hackers Behind These Ransomware Attacks?

DragonForce Ransomware Group:

DragonForce is a ransomware-as-a-service (RaaS) group that has been active since 2023. This group targets high-profile organizations, including government entities and large corporations. DragonForce affiliates are often involved in phishing and exploiting vulnerabilities to gain access to their targets.

Scattered Spider Hacking Group:

The attack on M&S was linked to Scattered Spider, a decentralized collective of young hackers. This group is infamous for using social engineering tactics to manipulate employees into revealing sensitive credentials. Scattered Spider is motivated by financial gain and focuses on targeting large companies for ransom payouts.

How Did the Retailers Fall Victim to Ransomware?

Social Engineering & Credential Theft:

Both M&S and Co-op were targeted using social engineering tactics, where attackers tricked employees into resetting passwords and gaining access to critical systems. Once inside, hackers stole the NTDS.dit file, which contains password hashes for all Windows accounts. This allowed them to escalate privileges and move laterally through networks.

Ransomware Deployment:

Once inside the systems, attackers deployed DragonForce ransomware, encrypting key systems such as e-commerce platforms, payment processing systems, and logistics networks. This forced M&S to suspend online services and disrupted in-store operations for Co-op.

Impact of the Ransomware Attacks on Retailers and Customers

Operational Disruption:

M&S faced severe operational disruptions, including the suspension of online sales and the halting of gift card services. Co-op’s back-office and call center operations were affected, although its stores remained open and functional.

Financial Losses:

The financial damage was considerable. M&S saw its market value drop by £700 million, and daily losses reached millions. Combined, the overall cost to the affected retailers likely exceeds hundreds of millions of pounds.

Data Breach and Privacy Concerns:

Co-op confirmed that personal data from millions of customers was stolen. Although sensitive data like passwords and financial information were not compromised, the breach raises concerns about potential phishing attacks and identity theft for affected individuals.

Government and Industry Response to the Cyberattacks

In light of these incidents, the National Cyber Security Centre (NCSC) has called on organizations to reassess their cybersecurity frameworks. The attacks underscore the growing cybersecurity threats from sophisticated ransomware groups and the importance of robust defenses in the retail industry.

Key Takeaways for Retailers and Consumers

For Retailers:

• Enhance cybersecurity practices, especially in credential management and employee training to combat social engineering.
• Implement and regularly test a solid incident response plan to react quickly in case of a breach.

For Consumers:

• Stay vigilant against phishing attempts and monitor your accounts for suspicious activity, particularly if you’re a member of affected retailers.
• Keep updated on security alerts from the companies you interact with and follow their security guidelines.

Industry-Wide Collaboration:

• These attacks highlight the growing sophistication of ransomware tactics. Businesses and consumers must work together, respond swiftly, and maintain strong cybersecurity measures to prevent future threats.

Conclusion: Cybersecurity in Retail – A Growing Concern

The ransomware attacks on Marks & Spencer, Co-op, and Harrods serve as a stark reminder of the persistent and evolving threat posed by cybercriminals. As ransomware tactics become more sophisticated, both businesses and consumers must remain proactive and vigilant. Robust cybersecurity defenses, employee education, and constant monitoring are critical in defending against these growing cyber threats.