UK Retailers Cyber Attack

In recent weeks, a series of highly sophisticated ransomware attacks has hit major UK retailers — including Marks & Spencer (M&S), Co-op, and Harrods. While there remains some uncertainty over exactly which threat group is responsible (likely Scattered Spider), the impact is indisputable especially to M&S: financial losses, operational disruption, and reputational damage.

It's worth noting that M&S, has shown admirable brand resilience since the attack. It’s a deeply respected institution, and assuming it continues to communicate with customers well, rebuild services and enhance security, the long-term reputational harm should be limited. What could have been an existential threat to the firm has been degraded to simply a major incident.

Lateral movement and NTDS.dit extraction

One of the most critical developments in the M&S attack was the extraction of their Active Directory database file, NTDS.dit. This file stores every domain user account along with a hashed version of their password (similar to an encrypted copy). While hashes are not plaintext passwords, attackers with offline access can attempt to crack them using several techniques:

• Brute Force: Tries every possible combination (e.g., A–Z, AA–AZ, etc.). Effective only for short passwords — typically under 8 characters.
• Dictionary Attack: Uses lists of known passwords and variants. A popular file like rockyou.txt contains over 14 million common passwords, and expanded variants can easily exceed 100 million entries.
• Tailored Attacks: Custom strategies are built using knowledge of a company’s environment, employees, usernames or known password policies — often with high success rates.

Once an attacker cracks enough passwords, they can use legitimate credentials to move laterally across systems, making it much harder for security teams to detect the intrusion. This is part of a broader dual extortion strategy: first exfiltrate data, then encrypt systems to demand a ransom.

Improving Internal Controls

To defend against attacks of this nature, organisations should focus on strengthening internal password and identity access management controls. Consider implementing the following:

1. Enforce long passwords. Length is one of the most effective defences against cracking. Set a minimum of 15 characters where technically feasible.
2. Provide security awareness training. Teach users how to create strong, memorable passphrases using simple techniques.
3. Identify and rotate credentials. Any stale account or unchanged password can become an attack vector — especially service or administrator accounts.
4. Continuously test your passwords. Use an enterprise-grade Password Strength Testing service to identify weak or guessable passwords before attackers do.

Password Strength Tester (PST) by ITSL

Our Password Strength Tester service is designed to be a practical, low-overhead component of your digital resilience testing strategy, threat-led penetration testing (TLPT) programme or red teaming activities. Key features:

• No software or hardware installation required
• Available as a remote or on-site service
• Daily updates and full reporting
• All processing is conducted in the UK
• Secure deletion of all password data using US DoD 5220.22-M compliant standards

Whether you're conducting internal audits, preparing for compliance, or strengthening your organisation post-breach, PST is a fast, cost-effective way to identify weaknesses before criminals do.

Free Initial Consultation

If you're interested in learning more about our service, please contact us at: contact@itsecuritylocksmith.co.uk

About IT Security Locksmith

IT Security Locksmith specialises in board level training and consultancy.

To find out more about our capabilities please click here.

Our services page showcases the types of services we offer.

Click here to contact us for a no obligation initial consultation.