The UK retail sector is reeling from a coordinated series of cyberattacks attributed to the DragonForce ransomware group, which has targeted some of Britain’s most iconic retailers including Marks & Spencer, Co-op, and Harrods. The attacks, which began in late April 2025, represent a significant escalation in both scope and sophistication of ransomware operations targeting the retail industry.

Listen to our chat about how the Co-op avoided ransomware:

Mounting Retail Casualties

Marks & Spencer was the first major victim, with systems compromised on April 22nd. The retailer has been forced to suspend online clothing orders for six days and continues to struggle with restoring full operational capacity. According to Computer Weekly, the attacks began over the Easter weekend and have caused significant disruption to M&S’s digital infrastructure.

Co-op confirmed they were targeted on April 30th, while luxury department store Harrods stated on May 1st that attackers attempted to gain unauthorized access to their systems. While Harrods reports it took immediate “proactive measures” including restricting internet access at its locations, Co-op has faced more severe consequences.

In an email to customers, Co-op CEO Shirine Khoury-Haq acknowledged that customer data has been impacted in the attack, calling it “extremely distressing” and apologizing for the breach. Computer Weekly reports that the compromised data includes names, dates of birth, and contact information for Co-op members, though passwords, financial details, and shopping habits were not affected.

A Troubling Trend

Security researchers have noted a disturbing trend in DragonForce’s targeting patterns. According to Arctic Wolf, these attacks are part of a concentrated campaign specifically aimed at UK retail chains throughout April and May 2025. Check Point researchers note that the consumer goods & services sector (which includes retail) is now the 5th most attacked vertical in the UK.

The timing of these attacks aligns with a historic surge in global ransomware activity. Check Point’s State of Ransomware Q1 2025 report indicates 2,289 publicly named ransomware victims were reported in just the first quarter—a 126% year-over-year increase, setting an all-time high. The report also identifies 74 distinct ransomware groups now operating concurrently, highlighting an explosion of new actors and affiliate-driven threats.

DragonForce itself operates a ransomware-as-a-service (RaaS) model, providing access to encryptor malware, a leak site, and other infrastructure to affiliates. In a May 2nd interview with Bloomberg, a spokesperson for the DragonForce ransomware group claimed responsibility for the recent ransomware attacks on UK retailers.

The Attackers and Their Methods

Security experts have linked these attacks to a threat actor tracked as Scattered Spider, a group known for conducting sophisticated phishing campaigns. Arctic Wolf notes that in the RaaS model, independent affiliate groups such as Scattered Spider are typically responsible for gaining initial access to victim organizations, as well as carrying out hands-on-keyboard intrusion and extortion work.

The DragonForce ransomware group has already shared a sample of data on about 10,000 Co-op members with the BBC and warned that other UK retailers were on a “blacklist,” according to Computer Weekly.

This campaign may reflect a broader strategic pivot for ransomware operators: moving away from ransom-only income toward harvesting high-volume personally identifiable information (PII) for secondary monetization, according to Check Point researchers.

Response and Recovery

The affected retailers have implemented varying response strategies. Harrods appears to have contained the breach quickly, hinting that the attacks were unsuccessful but still causing the organization to restrict access to their sites.

Co-op has reported that the cyber criminals behind the attack were “highly sophisticated” and that managing its severity meant multiple services must remain suspended. The company has acknowledged the data theft and is notifying affected customers, emphasizing that they “recognize the importance of data protection” and take their obligations seriously.

M&S continues to face significant operational challenges. Computer Weekly reports that the retailer is experiencing gaps appearing on shelves as the disruption continues.

Broader Implications

Arctic Wolf warns that an uptick is expected in ransomware intrusions attributed to DragonForce in the coming weeks and months as the group seeks to establish its notoriety further and attract more affiliates.

The DragonForce attacks come at a time when ransomware isn’t just growing in volume but also mutating in method. Many groups increasingly focus on data extortion without encryption, reducing operational complexity and accelerating monetization, according to Check Point.

As the investigation continues, the full extent of data compromise and operational impact remains to be determined. The UK retail sector’s vulnerability to these types of attacks highlights the critical need for organizations to strengthen their cybersecurity postures against what appears to be a sustained and evolving threat.