M&S ransomware hack: Active Directory security lessons   

​M&S (Marks and Spencers) are a cornerstone of British retail with over 64,000 employees – so it was a shock for many to see them laid low by a ransomware attack in April 2025. The retail giant fell victim to a significant cyber-attack attributed to the hacking group known as Scattered Spider. Attackers reportedly infiltrated M&S’s IT systems as early as February, deploying ransomware that encrypted critical systems and disrupted operations across all 1,049 stores.  

This led to a five-day suspension of online sales, averaging £3.8 million ($5.1 million) in daily losses, and caused a more than £500 million ($668 million) drop in the company’s stock market value. The hackers allegedly stole sensitive domain data, including user credentials, and used a “DragonForce” encryptor to lock systems and demand a ransom. ​While M&S’s physical stores remained operational, they faced ongoing issues such as non-functioning gift card services and restricted return options.  

The breach highlights the growing impact of sophisticated ransomware attacks on major corporations – as well as the ongoing need for strong Active Directory security.  

M&S breach: Attack summary 

• Who was targeted: UK retail brand Marks and Spencer (M&S) 

• Attack type: Ransomware 

• Entry technique: Active Directory credential theft  

• Impact: Revenue loss, drop in market value, operational disruption 

• Who was responsible: Scattered Spider/UNC3944 

How did the M&S ransomware attack happen? 

Marks & Spencer’s compromise began as early as February 2025. Attackers (believed to be the Scattered Spider collective) gained initial access to the retailer’s network and exfiltrated the Windows domain controller’s NTDS.dit file – the core Active Directory database storing password hashes for every domain user. With this file in hand, the threat actors were able to extract and crack those hashes offline, yielding clear-text credentials for a range of accounts.  

Armed with these credentials, they quietly re-entered the network over subsequent weeks, using legitimate Windows logins to evade detection and move laterally from user workstations to servers and network infrastructure across M&S’s corporate domain. 

Once sufficient privileges were obtained, the attackers prepared for full system encryption. On 24^th April, they deployed the DragonForce ransomware payload against M&S’s VMware ESXi hosts, encrypting virtual machines that supported e-commerce, payment processing, and logistics applications. This action knocked out contactless payments and online ordering, forcing M&S to take critical systems offline and suspend digital services entirely. 

Interested to know how many weak passwords, breached credentials, and stale accounts are lurking in your Active Directory? Find out with our free read-only auditing tool: Download Specops Password Auditor.  

Who are Scattered Spider? 

The group known as Scattered Spider has been linked to a range of disruptive incidents involving identity compromise and abuse of remote access, often through aggressive social engineering tactics. In this case, it’s possible they leveraged similar techniques—such as phishing, MFA manipulation, or IT service impersonation—to gain access.  

They’ve shown a pattern of targeting the human and procedural layers of security rather than relying solely on technical exploits. The M&S breach, if connected, highlights the continuing risk posed by well-resourced threat actors who exploit gaps in identity and access controls rather than purely technological vulnerabilities. The group also claimed responsibility for the recent attack on MGM Resorts.  

Specops analysis: What can we learn from the M&S hack? 

From the M&S incident, the first critical lesson is that Active Directory (AD) environments must be treated as crown jewels and defended accordingly. While attackers getting access to the NTDS.dit file is obviously a serious breach, if your passwords are strong (long, not using common base words, not using existing breached passwords) it can still be quite expensive for an attacker to brute force those hashes to learn the users’ actual passwords. There also needs to be a focus on detecting and containing lateral movement in the event of a breach.  

Implementing the below measures will harden your Active Directory environment against both offline-hash cracking and the misuse of elevated credentials—two of the primary enablers of the M&S attack. 

Best AD practices to follow 

• Enforce modern, length-based password policies: Require a minimum 15-character password for user accounts and at least 30 characters for service accounts to resist brute-force and dictionary attacks. The best way for end users to do this is through easy-to-remember passphrases; service account and other passwords typed less frequently should be randomized using a password generator. 

• Encrypt and secure your AD database backups: Robust offline backups of AD databases are essential to ensure recovery without paying ransom – these backups must be stored off-network and regularly tested for restore integrity. Enable ADPasswordEncryptionEnabled to encrypt DSRM and LAPS-backed-up credentials in your NTDS.dit snapshots, ensuring that even stolen backups aren’t readily cracked offline.  

• Detect and contain lateral movement: Enabling and monitoring detailed AD audit logs feeds SIEM and EDR solutions to spot abnormal actions, such as unexpected NTDS replication requests or creation of high-privilege groups. Segmentation of network zones and enforcing least-privilege network firewall rules will slow an intruder’s progress, buying valuable time for incident response teams to isolate affected systems. 

• Minimize and tightly control privileged accounts: Keep the number of Domain Admins and other Tier 0 accounts to an absolute minimum. Place them in the “Protected Users” group and require Multi-Factor Authentication for any interactive or remote logins.  

• Monitor and audit AD password activity: Enable detailed AD auditing to detect anomalous password-related events—failed reset attempts, atypical replication requests, or bulk changes to service-account credentials.  

• Multi-factor authentication (MFA): Multi-Factor Authentication (MFA) on all administrative and service accounts should be a non-negotiable. Combined with the use of Just-In-Time (JIT) privileged access, this greatly reduces the risk of “pass-the-hash” and credential stuffing attacks.  

Block weak and compromised passwords in your Active Directory  

Specops Password Policy blocks end users from creating weak passwords and makes it simple to enforce the password policy your organization needs. It also continuously scans your Active Directory against our database of over 4 billion compromised passwords, blocking off attack routes before they can be exploited. Get in touch for a demo or free trial.