M&S Ransomware Chaos: Scattered Spider Breaches Percy Pig's Safehouse

News
Written By News Desk

Well, just when you thought it couldn't get any more ridiculous, it turns out Marks & Spencer's "minor cyber incident" was actually a full-blown ransomware attack by one of the nastiest hacking groups around — Scattered Spider.

Yes, you read that right. The gang that has terrorised the likes of MGM and Caesars Palace has now had a crack at M&S. Apparently, even Percy Pig and Colin the Caterpillar aren't safe anymore.

Let's get into it.

What Actually Happened?

While M&S initially downplayed the chaos as "temporary adjustments" to protect customers and the business, we now know that Scattered Spider — also charmingly known as Octo Tempest — had been lurking inside M&S's network since February 2025.

They didn't just pop in for a look around either. These attackers stole M&S’s Active Directory database (the NTDS.dit file, which basically contains password hashes for the entire company).

Then, because stealing wasn't enough, they launched a full ransomware attack — deploying their DragonForce encryptor payload and locking down virtual machines on M&S’s VMware ESXi servers on April 24.

In short:

  • They broke in.

  • They stole the keys to the kingdom.

  • Then they burned the house down.

Classic Tuesday behaviour for Scattered Spider.

M&S’s Response:

M&S is now scrambling, working with CrowdStrike, Microsoft, and Fenix24 to contain the breach, clean up the mess, and figure out how badly they've been owned.

And yet... they're still sticking to vague corporate statements, telling customers there's "no evidence" of customer data loss (so far) and "no action required."

Meanwhile, on the ground, it's clear that store operations have been impacted, contactless payments were broken for days, click-and-collect orders vanished into the ether, and shoppers were left glaring at frozen tills.

CEO Stuart Machin emailed customers with a cheerful message about "small changes" — which, given the context, feels a bit like saying "we’ve temporarily relocated" after a house fire.

Customer Reactions:

Oh, the great British public. Normally reserved, until something really matters — like delayed cake collection.

  • One shopper tweeted: "Could not collect my online purchase today, previous visit could not return an item as tills were down... please sort out your poor IT situation."

  • Others piled in, reporting multiple days of outages, missing click-and-collect orders, and failed contactless payments.

Honestly, you mess with Percy and Colin, you mess with all of us.

Who Are Scattered Spider Anyway?

Glad you asked. Scattered Spider are not your average teenage script kiddies. They are:

  • Sophisticated: Skilled in social engineering, MFA bypass, and living-off-the-land attacks.

  • Targeted: They aim for big enterprise networks, especially in finance, retail, and entertainment.

  • Persistent: They can lurk undetected for months.

  • Destructive: When they hit, they steal and encrypt — and they’re not shy about leaking data if ransoms aren’t paid.

They’ve been linked to massive breaches at MGM Resorts, Caesars Entertainment, and others. Seeing them hit M&S is worrying — not just because of the brand damage, but because it shows UK retail is now firmly on their radar.

Why This Matters

This is bigger than Percy and Colin.

  • Active Directory compromise is serious. If the NTDS.dit was exfiltrated, M&S may have to reset thousands of credentials and review every privileged access policy. (Hint: they should have done it yesterday.)

  • Ransomware on VMware ESXi is devastating. These are core servers. Expect outages, slow recovery, and major headaches.

  • Lack of transparency is risky. Downplaying ransomware incidents just leads to public distrust, regulatory scrutiny, and bigger PR disasters.

If M&S aren’t proactively notifying customers, regulators like the ICO may come knocking — and they won't be bringing Colin cakes.

What's Next?

M&S is still scheduled to announce its full-year results on May 21, 2025. And unless they want that announcement dominated by questions about cyber security failures, they'd better get their house in order quickly.

Expect to see:

  • More store disruptions (especially in click-and-collect and logistics).

  • Mass internal IT reboots (password resets, infrastructure audits).

  • Potential class-action murmurs if customer data is eventually confirmed as compromised.

  • Huge cyber insurance payouts (assuming they have decent cover — big assumption).

And, if we're lucky, a Percy Pig-themed ransomware awareness campaign.

Closing Thoughts: Percy and Colin Deserve Better

Marks & Spencer isn’t the first UK giant to get absolutely flattened by a cyber gang, and sadly, they won’t be the last. But if there’s one thing we’ve learned from this absolute circus, it's this:

No cake, no cuddly pig, no retail brand is safe until cyber security is taken seriously — at board level, with real investment, not PR spin.

Because next time, it won't just be Colin and Percy at risk. It’ll be your card details, your accounts, your trust.

And frankly, that's a lot harder to replace than a tray of Swiss rolls.

Source Article
BleepingComputer Marks & Spencer breach linked to Scattered Spider ransomware attack
The Times Hacking group linked to Marks & Spencer cyberattack
The Guardian M&S betting on customer patience as cyber-attack threatens to ruin 2025's strong start
Reuters M&S tells warehouse agency staff to stay home as cyber incident continues
TechRadar Marks & Spencer outage allegedly linked to
News Desk
Previous

The UK's Cyber Security and Resilience Bill: Protecting Our Digital Future – But Is It Enough?
Next

Paper Password Managers: Because What Could Possibly Go Wrong?

Noel Bradford

© 2025 Noel Bradford. All rights reserved. All content on this blog is the intellectual property of Noel Bradford unless otherwise stated. Feel free to share excerpts with proper credit and a link back to the original posts. Reproducing full articles without permission will make me very grumpy — and nobody wants that.