On Easter Monday 2025, British retail chain Marks & Spencer (M&S) was hit by a large-scale ransomware attack. The company is still in “rebuild mode” and will remain so for some time. M&S is not saying whether it paid the ransom demanded. What is the most likely scenario, and does it even matter?
For the first time since the disastrous ransomware attack, Marks & Spencer is clearing the air. Speaking on behalf of the company, chairman Archie Norman said it had been compromised by a “sophisticated impersonation.” Although the incident took place on Easter Monday (April 21), DragonForce managed to infiltrate M&S’s IT systems on April 17. What followed was a mixture of speed and sluggishness: while all intelligence services (including the FBI) were quickly informed, the consequences had a very long aftermath. Even more than a month after the incident, M&S was still unable to deliver orders to Northern Ireland due to the hack. Ultimately, the online store was down for seven weeks.
Lips tightly sealed
Norman’s public comments are somewhat puzzling. On the one hand, he asked the nation’s Business and Trade Committee how a company should deal with a demand for ransom in exchange for a ransomware decryptor. On the other hand, he did not want to reveal whether M&S paid the DragonForce attackers. If successful, an organization can be freed from all problems in exchange for payment: the data encrypted by the malicious software is made available again, while no sensitive data is published via a leak site.
No Marks & Spencer data has ended up on DragonForce’s public leak site. That does not necessarily suggest that a ransom was paid for the decryption of files, although there is a possibility that the retailer received guarantees that no data would appear online. This is speculation, but with the information we have, there is no indication that DragonForce will publish any M&S data soon.
Chairman Norman states that the interaction with DragonForce is a matter for the police. According to him, the British National Crime Agency has been fully informed about the matter. The only thing he did say is the following:
“The question you have to ask is – and I think all businesses should ask – is, when they look at the demand, what are they getting for it? Because once your systems are compromised and you’re going to have to rebuild anyway, maybe they’ve got exfiltrated data that you don’t want to publish. Maybe there’s something there, but in our case, substantially the damage had been done.” In short: regardless of whether it paid the ransom, M&S was already severely affected. At least, that’s how it sounds, but it’s clear at any rate that paying the ransomware ransom would not have prevented disruption.
Requirements for others
It is striking that the Marks & Spencer chairman has gone beyond issuing the statement above. He also believes that organizations affected by a cyberattack should be forced to report it. According to Norman, two large British companies have experienced major hacks in recent months but have not disclosed this to the outside world. The implicit message is loud and clear, if one was to be a cynic: if M&S has to publicly eat humble pie, then so should others.
Nevertheless, the most important question remains unanswered: did M&S pay to have its systems decrypted? Or, indeed, what can others learn from the encounter beyond simply securing their systems better or training their personnel to be cyber-aware? This is more interesting than the fact that a large company can be hacked in the first place or that the consequences can be very significant indeed. We know that. But now it remains unknown (perhaps based on legal advice) what lessons M&S has learned when it comes to paying ransom. We’d love for there to be a public culture of accountability that allows for such transparency. If not, we’ll never move beyond cyber incidents occurring left and right with little to show for it.
Based on the information currently available, we assume that M&S did not pay to access a decryptor key. Why? First of all, the outage was significant, indicating that systems had to be completely restarted or even reconfigured wholecloth. Secondly, Norman’s quotes suggest that, at most, a payment was made to keep sensitive (customer) data confidential, which may have prevented greater costs in the form of damage claims or fines.
A counterargument: British MP David Davis hinted (but very much stopped short from confirming) that M&S did pay up. An unnamed British company is said to have transferred “a very large sum” to its blackmailers, according to the MP. This may have been M&S’ supposed payment to secure the sensitive data and not to buy a decryptor. If the company did in fact pay, it is likely that the decryption did not work or did not provide sufficient assistance to prevent the recovery work. In any case, the lesson is that paying ransomware is not only unreliable or at least questionable, but that communication about it is still far too unclear and unhelpful.
Read also: What can be learned from the cyberattack on Marks & Spencer