In May 2025, UK-based retail giant Marks & Spencer (M&S) found itself the target of a major cyber attack, orchestrated by the notorious hacking group, Scattered Spider. The group that is managed by a group of British speaking teenagers launched a sophisticated DragonForce ransomware attack on M&S’s servers, disrupting operations and causing widespread chaos. This high-profile attack has not only affected the company’s day-to-day business but also attracted significant international attention, raising concerns about the vulnerability of even the largest corporations to cybercriminals.
The scale of the attack has caused major disruptions, not just to M&S’s internal systems, but also to its customers and stakeholders. With sensitive data at risk and the company’s systems locked behind an impenetrable encryption, the retailer is facing one of its most challenging crises to date. The incident has prompted widespread media coverage and has sparked a public debate on the growing threat of cybercrime.
Unclear Whether M&S Paid the Ransom
As the attack unfolded, questions about whether M&S decided to pay the ransom demanded by the cybercriminals remained unanswered. The ransomware group, believed to be Scattered Spider, is known for its aggressive tactics, which include demanding large sums in cryptocurrency in exchange for a decryption key. However, the details surrounding the negotiation—or whether the company caved to these demands—remain shrouded in secrecy.
When asked about the specifics of the attack, M&S Chairman Archie Norman was tight-lipped, stating that the matter is “not of public interest” and suggesting that any discussions surrounding the ransom payment were best left to law enforcement agencies. Despite his reluctance to divulge details, the company’s refusal to openly address the issue has left room for speculation.
This has led to an outpouring of criticism on social media platforms, where users have expressed their concern about the potential consequences of paying the hackers. Many argue that such actions could embolden other cybercriminals, leading to an increase in future attacks on corporations. The general consensus is that giving in to the demands of cybercriminals only serves to fund and encourage further criminal activity.
FBI’s Warning on Ransom Payments
In November 2023, the FBI issued a crucial warning to organizations about the dangers of paying ransoms to cybercriminals. The agency made it clear that paying hackers does not guarantee the recovery of stolen data and, in many cases, could exacerbate the problem. The FBI highlighted that there is no assurance that the decryption keys provided will actually unlock all of the encrypted files, or that the hackers won’t return to demand more money.
Security researchers at Check Point also weighed in on the issue, revealing a disturbing trend. Even when victims pay the ransom and receive a decryption key, they often find that only around 80% of their encrypted data can be successfully restored. The remaining 20% may be lost permanently due to corrupt files, incomplete decryption, or other technical issues. This grim reality underscores the risks involved in negotiating with cybercriminals and raises serious doubts about the effectiveness of paying ransoms.
M&S’s Data Retrieval Timeline and Financial Impact
In June 2025, M&S made an official statement regarding the ongoing data recovery process. The company warned that it could take as long as October or November 2025 to fully recover its data and restore normal operations. As a result of the attack, M&S expects its financial performance for the current year to be negatively impacted, with potential losses in both revenue and customer trust.
The company is working diligently to restore its systems, but the attack has caused severe disruptions to its operations, including delays in supply chains, loss of customer data, and damage to its brand reputation. While the company is focused on ensuring the security of its systems moving forward, the long-term effects of the cyberattack are expected to be felt for months, if not years.
DragonForce Threatens to Sell Stolen Data
Adding to the complexity of the situation, the DragonForce group made public threats to sell the stolen data unless their demands were met. A few months ago, the hackers announced that they had successfully exfiltrated a portion of M&S’s sensitive data and would sell it to the highest bidder if the company refused to comply with their ransom demands. However, in recent weeks, the group has gone eerily silent, leading some to speculate that the hackers may have received a payout from M&S or another intermediary.
While the group has yet to release any further details about the stolen data, the silence has raised suspicions and fueled rumors about the company’s negotiations with the attackers. The threat of data being sold on the dark web remains a serious concern, as it could expose customer information and further damage M&S’s reputation.
The Bigger Picture: Growing Cyber Threats to Retailers
The M&S attack highlights a broader and increasingly alarming trend: the growing threat of cybercrime against major retailers and corporations. With cybercriminals using sophisticated ransomware to target high-profile organizations, the potential damage to both business operations and customer trust is enormous. As cyber threats continue to evolve, businesses of all sizes must adapt and invest heavily in cybersecurity measures to protect themselves against such attacks.
While it remains unclear whether M&S paid the ransom or not, the company’s ordeal serves as a reminder of the dangers posed by ransomware groups like Scattered Spider and the DragonForce gang. As businesses grapple with the fallout from such attacks, the larger question remains: How can companies best defend themselves in an increasingly hostile digital landscape?
Join our LinkedIn group Information Security Community!
