Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 19, 2025 2 min read

Retail Ransomware Attacks Increase

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

Source: BlackFog

These incidents have led to significant operational disruptions and financial repercussions for the affected brands. For instance, M&S reported cyber costs exceeding £300 million. On July 10, UK law enforcement arrested four individuals linked to these attacks, underscoring the ongoing threat to the retail sector.

DragonForce Ransomware Group

The DragonForce ransomware group, emerging in late 2023, has quickly evolved into a Ransomware-as-a-Service (RaaS) model. This group recruits affiliate hackers to utilize their ransomware platform, taking a 20% cut from ransoms while managing malware development and payment negotiations. A DragonForce representative stated, “We are here for business and money.”

Recent attacks attributed to DragonForce or its affiliates include significant breaches at M&S, which faced widespread outages in late April 2025, and the Co-op, which experienced attempted breaches shortly thereafter.

CyberWire

Tactics of DragonForce

DragonForce employs sophisticated tactics for initial access, such as social engineering and phishing to gain credentials. In the M&S breach, attackers reportedly accessed the company's Active Directory database months prior to deploying ransomware, allowing them to use valid accounts for lateral movement within the network.

The group also utilizes PowerShell for executing payloads and automating tasks, often running malicious commands to disable security features. They have been observed using techniques like credential dumping from the LSASS process to gain domain administrator privileges.

Defense Strategies Against Ransomware

Organizations must adopt a multi-layered defense to mitigate the risk of ransomware attacks. Key strategies include:

  1. Implementing phishing-resistant multi-factor authentication and educating employees about social engineering tactics.
  2. Securing remote access points, such as VPNs and RDP servers, behind a Zero Trust Network Access (ZTNA) gateway.
  3. Protecting Active Directory and monitoring for suspicious credential retrieval.
  4. Deploying advanced Endpoint Detection & Response (EDR) tools configured to resist tampering.
  5. Regularly backing up critical data offline to prepare for potential recovery from an attack.

Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture, providing comprehensive solutions such as AI Inspection Engine for Traffic Monitoring and AI Ransomware Kill Switch. This technology converges networking and security across devices and environments, ensuring robust protection against evolving ransomware threats.

Explore our services at Gopher Security to enhance your organization's security posture.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article

AI-Generated Phishing: A Growing Threat to Small Businesses

Over the past few years, the potential uses of generative AI have raised significant concerns among small business owners. The deepfake economy has emerged as a major threat. According to Business Insider, scammers are using deepfakes to impersonate company employees, leading to severe financial losses and reputational damage.

By Alan V Gutnov July 19, 2025 4 min read
Read full article