The M&S today confirmed that the network of retail outlets was initially violated in the “refined copying attack”, which eventually caused the dragonforce ransomware attack.
M&S President Archie Norman revealed this in a hearing with the UK Parliament’s Business and Trade Sub-Committee on economic security about the recent attacks on the retail in the country.
While Norman did not go to the details, he said that the danger actors motivated one of the 50,000 people working with the company to cheat the third party unit to reset an employee’s password.
Norman explained to the MPs, “Through the initial entry in our case, which was on 17th April, that people now say social engineering. As far as I can tell that I can tell that there is a expression to copy,” Norman explained to MPs.
“And this was a sophisticated copy. They just did not go up and said if you would change my password. They appeared as someone with their details. And the point of the entry point included a third-party.”
As Reported by FT In May, IT outsourcing company Tata Consultancy Services began an investigation whether it was inadvertently involved in the attack on M&S. Tata provides help desk support for M&S and is believed to have been cheated by threatened actors in resetting an employee’s password, which was then used to dissolve the M&S network.
For the first time, M&S referred to the dragonforce ransomware operation as a potential assailant, which he said that he was working from Asia.
“The incharge of the attack is considered a dragonforce, which is a ransomware operation based, we believe in Asia.”
Since the attack, several media outlets have falsely known as “Dragonforce Malaysia”, with a halt, with a dragonforce ransomware gang. The hecticist is believed to be considered as a Palestine Group exiting Malaysia, while the dragonforce ransomware operation is considered in Russia.
As the first reported by BlappingCopper, the attack on M&S was organized by danger actors associated with scattered spider who deployed the dragonforce ransomware on the network.
This deliberately closed all its systems to prevent the spread of the attack to M&S.
However, by then, it was too late, many VMware ESXI server encrypted and telling sources that Bleepingcomputer has been told that about 150GB of data was stolen.
The ransomware operation employs a double-explosion strategy, which includes not only encrypting devices, but also threatening to publish data if not paid and ransom is not paid.
While Bleepingcomputer was told that data was stolen in the attack, Dragonforce has not entered its data leak site for M&S. This may indicate that the retail chain paid the ransom demand to prevent the leaks of the stolen data.
When asked about the ransom demands during the hearing, Norman said that they get out of their hands while working with the danger actors.
Norman said, “We took a preliminary decision that no one in M&S would deal directly with the actors of danger.
Norman is probably referring to ransomware dialogue firms that help companies get access to bitcoins to interact and pay payment with the danger actors.
When asked whether he had paid the ransom demand, Norman said they were not discussing these details publicly because they “don’t think that it is in public interest,” but had fully shared the subject with NCA and officials.
The Ransomware gang rarely do anything for free, and if the data was stolen and not yet leaked, either a payment has been made or the actor of the danger is still interacting with M&S.
While cloud attacks can be more sophisticated, the attackers still succeed with surprisingly simple techniques.
Drawing by the detection of Vij in thousands of organizations, this report reveals the 8 major techniques used by Claude-Floid danger actors.
