/pcq/media/agency_attachments/2025/02/06/2025-02-06t100846387z-pcquest-new-logo-png.png){kind=logo}
/pcq/media/member_avatars/2024-08-28t070132803z-img_7046.jpg )
Follow Us/pcq/media/media_files/2025/04/30/aJq2V0KXSjs3Yr8TKBg9.png)
M&S cyber incident and the Scattered Spider lessons
Marks & Spencer (M&S) became the latest business to fall victim to a ransomware attack on their identity system. The attack has been attributed to the advanced threat actor Scattered Spider, which exposed weaknesses in Active Directory security and enterprise privilege management. In this case, we will show you how the attackers got in, moved laterally and dropped a ransomware payload, and what you can do to prepare for what’s next.
Social engineering opened the front door.
Initial access via deception and MFA fatigue
Scattered Spider is also known for exploiting human behavior and in this case we can reasonably assume they exploited a combination of phishing and SIM-swapping attack vectors to harvest the accounts of employees with privileged access to the enterprise systems.
Let’s look at the consulting diagnosed patterns:
• Credential phishing – created fake login pages and served them to try and get employees to input their username and password.
• MFA prompt bombing – targeted employees with repeated logon prompts, hoping one would get approved on their behalf by accident.
• Session token theft – exploited account access using session hijacking methods where MFA was not in place.
🛡 Defensive recommendation: Move to hardware or biometric MFA solutions - for example, FIDO2; train for regular simple anti-phishing exercises for employees.
Climbing the privilege ladder
NTDS.dit extraction and offline hash cracking
Once inside, attackers didn’t linger with low-level access. They beelined for Active Directory Domain Controllers, dumping the NTDS.dit file—a digital vault of all user password hashes.
Common tools used:
-
Mimikatz and secretsdump.py for hash extraction.
-
Hashcat for GPU-accelerated password cracking.
Example command:
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
🛡 Defensive tip: Deploy Local Administrator Password Solution (LAPS) to rotate admin credentials. Monitor for Event ID 4662 to detect directory service access attempts.
Moving through the maze
Pass-the-Hash and forged tickets for lateral movement
Armed with cracked credentials, Scattered Spider exploited pass-the-hash (PtH) attacks to authenticate without needing plaintext passwords. Then came Silver Tickets, forged Kerberos authentication tokens that let them access high-value systems like VMware ESXi hosts without alerting domain controllers.
Example payload (Mimikatz):
kerberos::golden /user:svc_vmware /domain:corp.mands /sid:S-1-5-21-... /target:esxi01 /service:HTTP /rc4: /ptt
🛡 Defensive tip: Restrict use of service accounts, limit Kerberos TGT lifetime, and isolate critical services in climbing the privilege ladder.
NTDS.dit extraction and offline hash cracking
Once inside, attackers didn’t linger with low-level access. They beelined for Active Directory Domain Corporate VLANs.
The payload lands.
DragonForce ransomware cripples M&S infrastructure.
On April 24, 2025, the attackers deployed DragonForce ransomware, targeting VMware virtual machines hosted on ESXi servers. The payload shut down virtual environments and encrypted disk volumes, locking M&S out of its own infrastructure.
Key tactics included:
-
Terminating processes via esxcli.
-
Disabling restore points.
-
Encrypting at the disk level to sidestep file-level protections.
🛡 Defensive tip: Segment ESXi interfaces, use immutable backups, and monitor unusual activity on hypervisors.
Defense-in-depth: A practical blueprint
When it comes to IAM systems, you should harden them in the following ways.
-
Harden IAM systems by adopting phishing-resistant MFA—think WebAuthn. That way you can be sure only legitimate users are getting through.
-
You should also enforce Conditional Access rules for any unmanaged devices. That means if a device isn't managed by your organization, it can't access your network. And for admin accounts, use just-in-time (JIT) privileges. That means those accounts only have the privileges they need when they need them.
-
Protecting your credentials is also crucial. Encrypt and restrict access to your NTDS.dit file. Regularly rotate and audit your local admin accounts. And keep an eye out for abnormal logins from service accounts.
-
Supply chain exposure is another area you need to address. Enforce strong cybersecurity standards for your third-party vendors. And use mutual TLS to authenticate third-party software agents.
-
Monitoring and segmenting your network is also vital. Use Network Detection and Response (NDR) tools to track down any lateral movements. And implement Zero Trust Network Architecture (ZTNA) principles in your network.
When it comes to responding to a breach, you need to be prepared. Back up your Active Directory offline using wbadmin. Simulate breach scenarios with tools like SafeBreach. And test your backup restoration processes every quarter.
/pcq/media/media_files/2025/04/30/Nr4ZB6JllnumN4cCAaLx.png)
Key takeaways
The Scattered Spider M&S takedown illustrates a troubling perspective on the future of enterprise-level cyber threats.
As ransomware operators become more sophisticated and faster, enterprises must evolve faster; Active Directory—often the weakest link within an organization—is not just due mitigation but a complete redesign. The best case of patched, hardened identity infrastructure, lateral movement controls, etc., is the reactivity of incident response planning—that is not a plan; it is survival.
🧪 Quick win: Run BloodHound today; you may be surprised at how close an attacker can get to your crown jewels.
More For You
GenAI cybersecurity threats redefine digital risks in 2025
Beneath the Code: Where Real Cybersecurity Begins
The Hidden Cost of Studio Ghibli Art AI: Is Your Data the Price of Whimsy?
Steam Game Downloads Used to Target Users with Malware