Ransomware Wave Against British Retail Industry

The ransomware group DragonForce has claimed responsibility for all these ransomware attacks, but DragonForce is known as a Ransomware-as-a-Service group that rents their tools and infrastructure to freelancing hackers.

The actual hackers appear to be a team of young Western hackers belonging to Octo Tempest, a loose group of Western cybercriminals from a criminal hacker community known as “Comm”.

Octo Tempest is known for using sophisticated social engineering to gain access, since they speak native English, often impersonating IT-personnel to obtain access to their victims’ environments.

Octo Tempest has previously worked with other Russian ransomware groups, including Black Cat, RansomHub and Quilin. Some of these groups have since then ended their activities. It’s possible that members of those groups moved to become part of new RaaS groups and brought their connections with Octo Tempest with them.

Assessment

Despite the fact that several individuals tied to Octo Tempest have been identified and arrested, both in the UK and USA, the threat from these Western cybercriminals persists. Some members of these groups are known to have been as young as 16 when they began their criminal career.

It appears that Octo Tempest also favors waves of attacks against a specific industry, as all the known victims of their latest crime spree were in the British retail industry.

Truesec has previously published information about Octo Tempest and their social engineering attacks, with recommendations on how to avoid in Threat Insight 2024-29

[1] https://www.ncsc.gov.uk/news/retailers-incident
[2] https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/
[3] https://www.bbc.com/news/articles/c3wx092exlzo
[4] https://soc.truesec.app/5f5c9acc-8492-42cf-98c4-b3b56f704ab6/threat-insights/TS-ThreatInsight-2024-29