UK RETAIL STRUGGLE AMID CYBER DISRUPTION
Disruption continued across the UK retail sector over the bank holiday weekend, following a wave of cyberattacks that began two weeks ago. Customers reported empty shelves at retailers including Marks & Spencer (M&S) and Co-op as the impact persisted. The attacks, which started over the Easter weekend, have been claimed by affiliates of the DragonForce ransomware-as-a-service (RaaS) group. Investigators have linked the activity to Scattered Spider and The Com, two overlapping, English-speaking hacking groups believed to be working with DragonForce. In an update to customers over the weekend, Co-op CEO Shirine Khoury-Haq described the attackers as “highly sophisticated” and explained that, due to the severity of the incident, several services would need to remain offline. She reiterated that customer data has been impacted in the attack and said:
“This is obviously extremely distressing for our colleagues and members, and I am very sorry this happened. We recognise the importance of data protection and take our obligations to you and our regulators seriously, particularly as a member-owned organisation.”
HACKERS THREATEN MORE RETAIL TARGETS
The compromised data relating to Co-op members appears to include names, dates of birth, and contact details. However, it does not include passwords, financial information, or records of members’ shopping habits or interactions with the company. DragonForce, the ransomware-as-a-service group claiming responsibility for all three attacks, previously shared a sample of data involving approximately 10,000 Co-op members with the BBC. The group also warned reporters that additional UK retailers are listed as future targets.
NCSC STEPS IN TO SUPPORT RESPONSE EFFORTS
Meanwhile, insiders at M&S told Sky News that IT staff have been forced to sleep in the office due to the ongoing disruption. Employees described a chaotic response, citing a lack of preparedness for such an incident and warning that it may take considerable time before operations begin to stabilise. Jonathan Ellison and Ollie Whitehouse of the National Cyber Security Centre (NCSC), director of national resilience and chief technology officer, respectively, said the NCSC is working closely with the organisations affected by the recent cyber incidents to understand the nature of the attacks and minimise their impact. They added that guidance is also being provided to the broader retail sector and the wider economy. The government body added:
“Whilst we have insights, we are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor, or whether there is no link between them at all. We are working with the victims and law enforcement colleagues to ascertain that. We are also sharing what we know with the companies involved and the wider sector – through our sector-focused Trust Groups run by the NCSC – and encouraging companies to share their experiences and mitigations with each other.”
INSIDE DRAGONFORCE: FROM HACKTIVISM TO RANSOMWARE
Jim Walter, senior threat researcher at SentinelOne, explained that DragonForce originally operated as a Malaysia-based hacktivist group supporting Palestinian causes. However, since emerging in the summer of 2023, the group has shifted toward a hybrid model combining political hacktivism with ransomware-driven extortion. DragonForce has launched attacks against government entities in Israel, India, Saudi Arabia, and the UK, as well as against private sector organisations aligned with particular political agendas. Walter noted that the recent wave of attacks on UK businesses underscores the critical importance of robust cybersecurity measures and well-defined incident response strategies. He added that while some elements of the attacks appear linked to an affiliate, there is limited technical evidence to confirm this. Nonetheless, the tactics and behaviour observed are consistent with operations previously attributed to the Scattered Spider and The Com hacking groups. Walters wrote in a blog post:
“While DragonForce continues to blur the line between hacktivism and financial motivation, its recent targeting suggests the group is increasingly motivated by financial rewards. Although DragonForce’s large-scale cartel model is not the first of its kind, its current successes and the recent demise of rival operations suggest that it will become increasingly attractive both to orphaned ransomware actors and more resourced groups looking to thrive in an increasingly competitive space. The wave of attacks against UK businesses in recent weeks highlights the ongoing need for strong cybersecurity practices and policies, along with well-developed incident response procedures.”
HOW DRAGONFORCE BREACHES NETWORKS
DragonForce, or its affiliates, typically infiltrate victim networks through a combination of targeted phishing campaigns and exploitation of known software vulnerabilities. Among their preferred attack vectors are well-known issues such as the Log4j vulnerability and high-profile flaws in Ivanti systems. They are also known to leverage stolen credentials, which may have played a role in the M&S breach. In some cases, credential stuffing attacks are used to access remote desktop protocol (RDP) services or virtual private networks (VPNs). Once inside a network, the group often deploys tools like Cobalt Strike to orchestrate its campaigns. They also utilise remote management and reconnaissance utilities such as Mimikatz, Advanced IP Scanner, and PingCastle to move laterally within systems, establish persistence, and escalate privileges, tactics that are common among ransomware operators.
RANSOMWARE EVOLUTION AND AFFILIATE STRATEGIES
The ransomware payload used by DragonForce initially relied heavily on the leaked LockBit 3.0/Black source code. However, it has since evolved into a custom-branded variant with increasing influence from the Conti codebase. Its encryption approach is somewhat atypical—using AES for primary file encryption and RSA for securing the keys, although samples derived from Conti have also been observed using the ChaCha8 algorithm. Affiliates have access to a suite of tools for generating new payloads and managing their campaigns. These payloads are tailored for various platforms, including Linux, VMware ESXi, and Windows, and can be extensively customised. Affiliates can modify file extension suffixes, specify command-line scripts, configure allowlists and denylists for encryption, and even enable delayed execution features. For data exfiltration, multiple methods are available, and the ransomware control panel supports collaborative team setups. This allows affiliates to coordinate more efficiently among themselves and interact more effectively with victims. In a recent development, DragonForce has launched a white-labelling service that enables affiliates to apply their own branding to the ransomware for an additional fee, further positioning the operation as a full-fledged cartel-style service provider.
ONE-STOP CYBER SHOP
Need a helping hand with your cybersecurity and compliance, then you’ve come to the right place. I have over 25 years of experience in cybersecurity, am a London IT thought leader and entrepreneur. Cyber is in my blood and always has been. In 2006, I founded Zhero, a London-headquartered end-to-end business cybersecurity and IT support company for SMEs. Zhero is a Microsoft Gold partner providing tailored risk mitigation, cybersecurity, cloud, IT support, consultancy, and professional services to many industry sectors, including medical, finance, legal, insurance, and architecture. Zhero has worked with a diverse range of brilliant minds and institutions such as WeWork, Giorgio Armani, Energy UK, Edmond De Rothschild, the Federation of Master Builders, City, University of London and Dimension Data. Get in touch today for the best cybersecurity protection and compliance that money can buy.