Four arrested in connection with M&S, Co-op ransomware attacks

Four individuals suspected of having been involved in the ransomware attacks that hit UK-based retailers earlier this year have been arrested by the UK National Crime Agency.

“Two males aged 19, another aged 17, and a 20-year-old female were apprehended in the West Midlands and London this morning (10 July) on suspicion of Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group,” the NCA said.

“All four were arrested at their home addresses and had their electronic devices seized for digital forensic analysis.”

Their names have not been made public as they have yet to be charged. “They remain in custody for questioning by officers from the NCA’s National Cyber Crime Unit in relation to the three attacks, which took place in April this year.”

The attacks

British multinational retailer Marks & Spencer and its customers were the first to feel the effects of the attack. It was also the only retailer of the three that were hit that has had their systems encrypted with ransomware.

The London luxury department store Harrods has apparently succeeded in fending off the attackers, and British consumer co-operative Co-op has managed to limit much of the damage by having segmented networks and by promptly taking their systems offline, thus avoiding getting their computers locked.

Still, the attackers managed to grab user data from M&S, as well as user and members data from Co-op.

In a recent hearing at the UK Parliament, M&S chairman Archie Norman confirmed that they’ve been hit with DragonForce ransomware, that the attackers got in by social engineering a third-party, and that they are still working on restoring systems and its website operations.

The company has estimated that its profit will be down by £300 million this year.

The attackers

Norman told the UK parliament’s Business and Trade Committee that the attack was perpetrated by “loosely aligned” parties. In this case, it’s believed that the two groups are Scattered Spider, a cybercriminal group that specializes in phishing, social engineering and SIM swapping attacks, and the DragonForce ransomware-as-a-service (RaaS) cartel.

Scattered Spider is considered to be a hacking group that gathers teens and young adults located in English-speaking countries like the US and the UK. Late last year, criminal complaints against five alleged members were unsealed in the US.

The ages of the four persons arrested today seem to point to them having been part of that loosely affiliated hacking collective.

“Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the Agency’s highest priorities,” Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, commented, and noted that while today’s arrests are a significant step in that investigation, their work continues.

“Cyber attacks can be hugely disruptive for businesses and I’d like to thank M&S, Co-op and Harrods for their support to our investigations. Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process,” he added.

Juliette Hudson, CTO of CybaVerse, noted that while the arrests are a positive step, organizations can’t let their guard down.

“The techniques these actors used are now widely known across the world and other criminals will be dabbling with them – hoping to see the same success,” she pointed out.

“However, the news also sparks a wider concern. How can we stop teenagers turning to cyber crime and instead use their computing skills for good? As an industry, we must do more to lead the younger generation down the right path.”

Four arrested in connection with M&S, Co-op ransomware attacks