Ransomware Hack Said to Be Cause of Marks & Spencer Outages

A ransomware attack is the cause of a disruption at Marks & Spencer Group Plc., with hackers using a potent kind of malware to lock down some of the British retailer’s systems and render them inaccessible, according to people familiar with the attack.

The company has for more than a week attempted to recover from what it’s called a “cyber incident,” pausing online orders and stopping processing some payments in its stores across the UK. A group of suspected cybercriminals hit the company with a kind of ransomware known as DragonForce, according to two people familiar with the matter, who spoke on condition of anonymity as they were not authorized to share information about the investigation.

Attackers use DragonForce ransomware to encrypt files on victims’ computers, then demand payment in cryptocurrency to unlock them, according to cybersecurity experts. The creators of DragonForce, whose identities aren’t known, operate like a criminal cartel, leasing out their malicious software and infrastructure to other hackers while taking a cut of any proceeds earned through extortion, experts say.

A spokesperson for M&S declined to comment on the ransomware or the identity of the hackers. It’s not clear whether the hackers have demanded payment from M&S, or whether M&S is engaging in any kind of negotiation.

M&S has hired external cybersecurity experts to assist with investigating and managing the incident. “We are taking actions to further protect our network and ensure we can continue to maintain customer service,” the company said in a statement.

Marks & Spencer shares have fallen 6.2% in London since the incident was reported on April 22.

Hackers working with DragonForce claimed more than 90 victims last year and targeted companies across various industries, including health care, manufacturing and telecommunications, according to Broadcom’s cybersecurity unit Symantec. The attacks spanned more than a dozen countries across North America, Europe, the Middle East and Asia, according to cyber experts.

M&S, which has more than 1,000 stores in the UK, said in a statement on April 22 that it was unable to process contact-less payments and that “click and collect” orders had been disrupted. The company also halted online orders and they have yet to resume.

There have been reports of gaps on shelves as the company struggles with availability for some items. Hundreds of agency staff at M&S’s main clothing and home warehouse were not to come in on Monday as the company battles the problem, Sky News reported.

With temperatures currently rising in the UK and online orders shut down for a fifth day on Tuesday, the cyber incident means that M&S is missing out on online sales of its Spring-Summer range.

“I’m sure demand for summer clothing is probably going up this week,” said Kate Calvert, an analyst at Investec. “There will be an impact on first quarter profits without a doubt.”

The retailer prides itself on offering consumers a so-called ‘omnichannel’ approach where they can buy both in stores and online. Online makes up the smaller proportion of the business, with web or app-based sales accounting for about 30% of the retailer’s UK clothing and home sales last year, but the longer online orders are halted the more it weighs on the business.

Photograph: The Marks & Spencer Group logo. Photo credit: Chris Ratcliffe/Bloomberg

Related: