When DragonForce, a particularly infamous ransomware group, recently opened up a new batch of attacks. They’ve focused on major UK retailers including Marks & Spencer (M&S) and Co-op. The cyberattacks started in late April, and they have completely upended daily operations at these firms. Shelves stand empty, leaving customers to question the state of their vulnerabilities and dependencies built into their systems.
In an unprecedented escalation, DragonForce even hand delivered a threatening email—in Comic Sans font no less—to the CEO of M&S. The threat was accompanied by a barrage of violent, misogynistic, and gloating language celebrating the hack. It required a ransom payment to regain access to the company’s encrypted servers. The email ended with an awesome image of the dragon breathing fire, which was meant to represent the group’s very aggressive tactics.
To allow companies to discuss potential ransom negotiations safely, DragonForce added a darknet link to their extortionist email. This link brought victims to a portal where they could start negotiating the ransom payment. The collective organizes and markets various services to cyber-criminal affiliates via their darknet marketplace platform. They lure victims in promising to take a 20% cut of any ransoms they manage to collect.
Attempts to research the inner workings of DragonForce and its origin have produced contradictory accounts. While some cybersecurity experts insist the group is operating out of Malaysia, others have pointed to Russia as a potential home base. Perhaps most significant of all, the group’s affiliates might include a somewhat rag-tag band of adolescent hackers called Scattered Spider. This group is different from the average hacker syndicate. It consists of real people, most notably American and British teens.
The cyberattacks have had serious consequences both financially and reputationally for those retailers attacked. According to M&S, their stores’ operations may be impacted by prolonged outages through July. In the UK, consumers have faced empty shelves at Co-op for weeks as a result of the hacking incident’s fallout.
The UK’s National Crime Agency (NCA) confirms they are on the case of Scattered Spider, too. The new national cyber-crime unit has named this group as one of their chief suspects. Analysts are of the opinion that the members of Scattered Spider are some of the most flexible threat actors. Their opaque transaction methods imperil the financial intelligence-gathering work of law enforcement agencies.
Or…this case gets a lot murkier. DragonForce appears to have operated their email account from a Tata Consultancy Services (TCS) staffer’s personal email. TCS is the largest Indian IT services giant and has been the mainstay provider of IT services to M&S for more than a decade. As with every breach, this one serves as a reminder that retailers must continue to strengthen their cybersecurity posture and protect sensitive information from falling into the wrong hands.
“We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers.” – Hackers (DragonForce)
The tone of DragonForce’s email communications inspire a bit of alarm with their bravado. In one instance, hackers stated:
“The dragon wants to speak to you so please head over to [our darknet website].” – Hackers (DragonForce)
Investigations are ongoing. Copy DragonForce’s actions demonstrate the increasing threat that ransomware groups pose, even against essential sectors like retail. The reality highlights the timeliness of requiring advanced cybersecurity standards within all sectors susceptible to this type of attack.
“let’s get the party started. Message us, we will make this fast and easy for us.” – Hackers (DragonForce)
In an alarming declaration on Telegram, DragonForce also announced:
“We’re putting UK retailers on the Blacklist.” – Hackers on Telegram
As investigations continue, the ramifications of DragonForce’s actions serve as a stark reminder of the escalating threat posed by ransomware groups targeting essential sectors like retail. The situation underscores the urgent need for enhanced cybersecurity protocols across industries vulnerable to such attacks.