Despite the many ‘Upgrades’ of Cybercriminals, the Human Factor Remains the Weak Link
A month has passed since the attack on Marks Spencer (MS), one of the most recognized retailers in the United Kingdom, yet there are still no signs of a return to normalcy. Millions in damages are being reported. M&S, which spans over 140 years, employs 64,000 people and operates 565 stores, experienced one of the worst cyber attacks in recent history on April 22nd.
The incident compelled the online clothing division to suspend operations, which remain inactive, left some food shelves bare in stores, and led to a loss of 60 million pounds (80 million dollars) in potential profits. The company has incurred roughly 1.2 billion pounds in losses on the stock market. A statement from the retailer last Wednesday indicated that the attack will result in approximately 300 million pounds (403 million dollars) in operating profit losses for the current year.
In addition, the chain faces a multi-million-dollar class action lawsuit, particularly from an unspecified number of Scottish customers whose data was stolen by cybercriminals.
The law firm Thompsons Solicitors, which is an expert in this type of crime and was appointed to handle the case, defines it as “the largest data theft we have ever been involved in.”
IT analysts and executives from the well-known British retail brand have confirmed that the company fell victim to a ransomware attack. Following government recommendations, they have chosen not to pay the ransom and are currently focused on reinstalling all IT systems.
The attack is attributed to DragonForce, a group regarded as a type of cybercrime franchise. This group provides ransomware as a service (‘Ransomware-as-a-Service’) to other cybercriminals, taking a 20% commission on the ransoms they collect.
Additionally, a few months back, the group announced an upgrade. A post dated March 19, 2025, revealed its transformation into a ‘cartel’ and the shift to a distributed model, allowing its ‘affiliates’ to establish their crime brands.
DragonForce, therefore, offers its infrastructure and tools but does not mandate that affiliates utilise its ransomware. The features marketed include management and customer support panels, encryption and ransom negotiation tools, a file storage system, a Tor-based news leak site with an .onion domain, and various support services.
A world, that of crime, increasingly organized and efficient and, for everyone else, a downright frightening prospect.
According to the British National Cyber Security Center (NCSC) the attacks were carried out using social engineering techniques. The hackers carefully chose their victims and then, through fake emails or phone calls, posed as colleagues or IT operators to steal credentials to access the company’s systems and advance the ransom demand.
According to the new Ransomfeed Report, a prevalent attack method worldwide saw 1,747 claims in just the second quarter of 2024.
Among these, 58 cases were linked to Italy, representing over one ransomware attack every two days, nearly a 100% increase compared to the same period in 2022.
In Italy, ransomware victims face additional sanctions mandated by a provision from the Data Protection Authority issued in 2022. This serves as a reminder for organisations to enhance their data protection and cyber risk management strategies.
Marks & Spencer’s experience highlights that even nations often viewed as more advanced than Italy have significant room for improvement in security.
Following this recent incident in the United Kingdom, the NCSC has alerted all organisations to reassess their help desk procedures for authorising password resets, especially for employees in sensitive positions.
But in the end, even if the stories change and the protagonists are different, the moral is always the same.
“The human element is the weak link in the chain, and we need to work on that.
Ransomware attacks exploit human vulnerabilities, such as distraction, emotional responses, and a general lack of awareness. Therefore, enhancing awareness and adopting a digital security posture that aligns with current standards is crucial.
The goal is to transform the ‘human factor’ from the weak link in the chain to the first line of defence.
“This is a necessary metamorphosis“, but one that requires choosing the right path to reach the goal effortlessly and enjoyably.
