Kevin BeaumontMarks and Spencer dealing with.. ransomware? https://infosec.exchange/@d4rkshell/114381922723370326
M&S still dealing with a major cyber incident https://www.bbc.co.uk/news/articles/cly802x1jz5o
It looks like M&S may be in serious operational trouble, more services being contained. https://www.bbc.com/news/articles/cdxnkg7rln2o
M&S use Palo-Alto GlobalProtect for VPN, they took all the endpoints offline days ago (usually first stage containment for ransomware/extortion groups).
So from looking through their external services, it looks like M&S started containment between Sunday 20th-Tuesday 22nd of April.
They had inbound network activity from IPs associated with crimeware groups, but difficult to know which one due to shared infrastructure.
The Sunday Times today back up my toot about VPN access to M&S being shut down, saying a source at the company says remote access has been “scaled back”: https://www.thetimes.com/business-money/companies/article/marks-and-spencer-shuts-out-wfh-staff-after-cyberattack-q2wwcjzl3
Additionally, the print version of The Telegraph says it is ransomware, citing somebody involved in containment. They say they believe they have locked the threat actor out of the network now and are working on restoration.
Marks and Spencer have told agency staff not to show up to shifts at its main distribution centre due to the ongoing cyber incident https://news.sky.com/story/flatplan-13357434
I just checked in on M&S, a large part of their network is still contained - they're on about day 9. Their GlobalProtect and another VPN are also still offline.
Rob PomeroyMarks and Spencer cyber incident = ransomware.
It's DragonForce ransomware cartel, they have encrypted their VMware ESXi clusters. Lines up with network traffic I saw.
Marks & Spencer breach linked to Scattered Spider ransomware attack
Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by a hacking collective known as "Scattered Spider" BleepingComputer has learned from multiple sources.
DragonForce's portal is currently offline, but their payment negotiation system is still online and chats ongoing. 
For the record, I think M&S external response so far has been pretty good. They probably should say ransomware themselves publicly, as it's their chance to control the narrative.
I dunno how that level of incident detail got out to media but I'm going to guess intelligence sharing, those circles are basically megaphones. The CISA model with Boeing for CitrixBleed worked better where CISA released findings, made it technical, boring and actionable.
DragonForce's portal is still offline. Their chats and negotiations are being monitored now.
Some M&S stores are apparently having stock problems. I popped around to my local M&S yesterday and asked - they said there's no forecasting system, so they are getting random goods delivery rather than stock refills.
Bloomberg confirm DragonForce ransomware at Marks and Spencer https://www.bloomberg.com/news/articles/2025-04-29/ransomware-hack-said-to-be-cause-of-marks-spencer-outages
M&S have stopped all recruitment and pulled open positions https://www.standard.co.uk/business/business-news/m-s-stops-hiring-after-systems-taken-offline-due-to-cyber-attack-b1225414.html
The Marks and Spencer and Co-op cyber incident situation is continuing to dominate TV headlines in the UK.
There's a bit more details on things broken at M&S on backend in this report.
Alan Miller 
🇺🇦@GossiTheDog the US will get to see some of this in a few months as companies run into packaging supply issues.
Simonoid@GossiTheDog patching like mad as opposed to...? What? Technical debt and "it will never happen to us"?
Andy Price@GossiTheDog I knew I should've spent my Christmas vouchers earlier...
Ben Hardill@GossiTheDog so they didn't ask a new recruit how fat Kim Jung Ill was?
Cali@GossiTheDog third party supplier breach?
pogsee@GossiTheDog jeez, hope they make it through the fire and flames
Oobleck@pogsee @GossiTheDog This is the joke I was hoping for.
Riley S. Faelan
Expertenkommision Cyberunfallrandomized delivery queues, must feel like 1970ies in the gdr, where you never knew if there would be bread or plates for purchase after you waited 3h in the queue in front of the bakery.
Jason Stuart@GossiTheDog I would bet that a long time ago, some IT person was screaming at management during a "risk assessment" meeting that significant outages could cause this and the number crunchers said, "the business accepts the risk, so no need to bolster the itsec budget."
Andrew Deacon@GossiTheDog I assume that this is not THE Dragonforce of very loud and fast guitar solos, fast drumming(very fast drumming) and songs about war etc, A fine and wonderful band
Brian Clark@GossiTheDog Nice turn of a phrase there. “technical, boring and actionable” should apply to all things cybersecurity.
h3artbl33d 
Through the fire and flames!
Rairii 
@GossiTheDog through the marks and spencers
Tryst 🏴 
@GossiTheDog Unexpected cryptography in the virtualisation area