Recent Ransomware Attacks Have Focused On Identity Gaps

Uploaded on 2025-06-11 in FREE TO VIEW

Cyber threats have evolved beyond the British government's ability to keep pace, a Parliamentary committee has said in a report highlighting lack of prioritisation and a deficiency in government cyber skills.

The recently major UK retailers, Marks and Spencer (M&S), Co-Operative Group (Co-op) and Harrods, have all been hit by cyber ransomware attacks, with the criminal group  DragonForce, working in conjunction the more diverse hacking collective, Scattered Spider, having claimed responsibility.

Dragon Force uses uses similar Tactics, Techniques & Procedures (TTPs) as Scattered Spider, and they are known to use phishing emails, exploit known vulnerabilities, and leverage stolen credentials to gain initial access to victim networks.

Dragon Force typically  start with the most vulnerable link in any security chain -  humans - and they have mastered the techniques of social engineering, crafting convincing phishing campaigns, executing SIM swaps to hijack phone numbers, and launching Multi-Factor Authentication (MFA) attacks where they bombard users with authentication requests until someone simply gives in and approves one.

MFA fatigue refers to the frustration and annoyance users experience when constantly entering additional login credentials, such as one-time passwords sent via text message or an authentication app. MFA fatigue often leads users to disable MFA controls, creating security risks.

As cyber attacks become more sophisticated, MFA has become crucial for account security. However, entering codes each time a user logs in or performs sensitive actions can be tedious and disruptive. This repetitious process causes MFA fatigue and leads users to perceive MFA as an obstacle rather than a safeguard.

Dragon Forcs have a special talent for targeting helpdesk staff, manipulating them into resetting passwords and providing that crucial first foothold. Once inside, they move methodically. They look for accounts protected by just a username and password, using these to move through networks. These incidents are not isolated, or coincidental. Indeed they are setting a a trend that is rapidly expanding

Recovery often demands draconian measures just to regain control, but teams aim to to restore normal operations, giving people back the tools to do their jobs, and keeping the shelves stocked and the tills running.

The recent retail breaches can act as a catalyst for identity management and security teams to revisit and accelerate key initiatives, especially those that may have already faced pushback from teams focused on operational efficiency.

Building Retail-Specific Identity Defences

1. Protect Initial Access Points 

  • Enforce comprehensive MFA: Verify that all external access points to systems are secured with MFA, including VPNs, SaaS applications, and other internet-facing systems.
  • Implement phishing-resistant MFA: Move to number matching at minimum (remember to remove non-phishing-resistant factors too) and consider “unphishable” FIDO2 authenticators for prime targets, like IT and security teams. 
  • Secure password reset processes: Harden helpdesk procedures with strict identity verification protocols. Consider temporarily implementing in-person resets for your most critical accounts.
  • Protect MFA management: Ensure second factors can only be added or changed with appropriate identity verification, not just with username and password.

2. Prevent Lateral Movement Post-Compromise

  • Extend MFA coverage internally: MFA must extend beyond the perimeter to internal systems and infrastructure access, especially Active Directory environments that are prime targets for threat actors and ransomware groups. Protecting RDP alone is not enough, this must be on all protocols (PowerShell, for example, is favoured by attackers).
  • Protect non-human identities (NHIs): Implement strict controls on service accounts, limiting where they can be used and alerting on any unusual activity patterns that could indicate compromise. 
  • Contain vulnerable legacy protocols: Restrict legacy authentication protocols like NTLMv1 to the applications that absolutely require them.
  • Implement identity segmentation: Create security boundaries between different parts of the retail environment to contain breaches; for example, by disallowing server authentication from your retail sites.

3. Monitor for Identity Threats

  • Deploy Identity Threat Detection & Response (ITDR): Implement ITDR to identify anomalous behaviours like lateral movement attempts and equip your SOC to respond.
  • Focus on service account activity: Create detailed baselines of normal service account behavior and alert on deviations.
  • Monitor privilege accounts usage: Track admin account activity with particular attention to cross-tier usage where high-privilege accounts access lower-security environments.

The UK has experienced a series of stinging cyber attacks over the last few years including a July 2024 attack on London Hospitals'  pathology laboratory services provider that resulted in thousands of postponed medical appointments and a blood shortage. In  2023 a ransomware incident at the British Library has cost roughly £7million pounds to remediate. The government in December 2023 accused a Russian intelligence agency of running a year's long campaign to interfere in British politics and in May, a sequence of large scale attacks on the  British retail sector, including M&S, Co-op, Harrods and Adidas.

All of these attacks are an opportunity to shift mind-sets, both within and around the industry.

Conclusion

Identity is not just about keeping auditors happy or shelves stocked. It’s about stopping real threats, protecting real people, and ensuring operational resilience. Treat identity as a core part of the organisation’s security strategy, not an efficiency play, and take control against identity-first attackers. 

As ransomware attacks become more targeted and disruptive, industry experts agree that the stakes have never been higher. 

The convergence of cyber threats with essential services highlights the urgent need for organisations to bolster their defences, invest in preparedness, and ensure rapid containment strategies are in place to prevent catastrophic consequences.

Silverfort     |     Silverfort     |   SC World    |     Gov Info Security  |   Security Brief     |   Cyber Magazine

Image: stuartmiles99

You Might Also Read:

Understanding Identity & Access Management:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« China Introducing Strict Controls On AI Data Centres
Crypto Company Hit For $400m »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Magic Software Enterprises

Magic Software Enterprises

Magic provide Mobile Device Management (MDM) for Secure Enterprise Mobility. Magic MDM overcomes the challenges of mobile device management security by protecting all of your devices, data and content

Secure Source

Secure Source

Secure Source specialise in search and recruitment for Cyber Security and Security Cleared markets.

Materna Virtual Solution

Materna Virtual Solution

Materna Virtual Solution security solutions enable user-friendly, secure mobile working environments.

Vintegris

Vintegris

Vintegris are a Certification Authority and manufacturer of innovative systems and applications for the full cycle of digital identity.

Taqnia Cyber

Taqnia Cyber

Taqnia Cyber specializes in the fields of cyber security, intelligence, operations, and training. It offers its services and consultations to both public and private sectors.

Red4Sec

Red4Sec

Red4Sec are experts in ethical hacking, audits of web and mobile applications, code audits, cryptocurrency audits, perimeter security and incident response.

VirtualArmour

VirtualArmour

VirtualArmour is a managed security services provider with global reach and local attitude.

Wontok

Wontok

Wontok deliver innovative value-added data security services that fill the gaps left in traditional security solutions.

Pathway Communications

Pathway Communications

Established in 1995, Pathway Communications – is part of the Pathway Group of Companies, a Canadian IT Managed Services organization.

GajShield

GajShield

GajShield Infotech provides Data Security Firewall solutions to Corporate’s and Government agencies.

ExchangeDefender

ExchangeDefender

ExchangeDefender provides cybersecurity services that secures your company email and data, and guarantees 24/7 email access.

Harbottle & Lewis

Harbottle & Lewis

Harbottle & Lewis is a leading UK-based law firm focused on the Private Client and Technology, Media and Entertainment sectors.

AccessIT Group

AccessIT Group

AccessIT Group is a specialized cybersecurity solutions provider offering a full range of advanced security services.

Clango

Clango

Clango employs an identity-centric approach to optimizing your cybersecurity investment while minimizing risk.

Cybermindz

Cybermindz

Many cyber security professionals are under sustained and increasing stress. We set about providing direct support to restore and rebuild emotional and cognitive health.

SurgeONE.ai

SurgeONE.ai

SurgeONE.ai is the first AI-driven platform built to transform compliance, cybersecurity, and data across financial services—powered by experts, guided by insight.