The bank holiday weekend turned chaotic as UK retailers continued to battle disruption from recent cyber attacks. Marks and Spencer (M&S) and Co-op saw empty shelves as these incidents unfolded over the past two weeks.
The attacks started over Easter, linked to a group called DragonForce, which operates as a ransomware-as-a-service. This group has ties to Scattered Spider and The Com, two hacking collectives.
Co-op’s CEO, Shirine Khoury-Haq, reached out to customers via email, describing the cyber criminals as “highly sophisticated.” Multiple services had to be suspended in response, and she confirmed that customer data, including names, birthdays, and contact info, was affected. Fortunately, financial details and passwords were not compromised. DragonForce even shared a sample of stolen data from about 10,000 Co-op members, hinting that other UK retailers might also be targets.
At M&S, staff were forced to sleep at the office due to the chaos, highlighting poor planning for such scenarios. It may take some time before operations return to normal.
The National Cyber Security Centre (NCSC) is investigating the attacks. Directors Jonathan Ellison and Ollie Whitehouse mentioned they’re collaborating with affected organizations and law enforcement to understand the incidents better. They’re also sharing insights with businesses to improve preparation for future threats.
DragonForce began as a Malaysia-based hacktivist group focused on supporting Palestinian causes but has shifted towards ransomware. They’ve targeted entities in countries like Israel and India, as well as UK businesses.
Jim Walter from SentinelOne noted that while some attacks seemed linked to affiliates, the evidence isn’t conclusive. DragonForce appears increasingly driven by financial gain, blending hacktivism with extortion.
Typical methods for DragonForce include phishing and exploiting known vulnerabilities. They’ve targeted common weaknesses like Log4j and Ivanti flaws, and they often use tools like Cobalt Strike and mimikatz for their operations.
The ransomware itself, evolving from leaked models, employs a mix of AES for file encryption and RSA for securing keys. Affiliates can customize how the ransomware behaves, determining which files to encrypt and how to execute attacks.
Recently, DragonForce launched a white-label service for affiliates to brand the ransomware as their own, expanding its operational reach.