Explore a real-world ransomware attack: DragonForce and the future of cyber defence

Ransomware attacks are one of the most disruptive challenges facing modern organisations. They interrupt services, shut down critical systems, and expose sensitive data within hours. When you look closely at how an attack unfolds, you start to see why cybersecurity professionals need both technical knowledge and strong analytical skills. You also understand why structured cybersecurity education is so important.

In a recent Aston University Online webinar BSc Cybersecurity Deep Dive: A Case Study on DragonForce and the Future of Cyber Defence, Dr Paul Grace, Programme Director of the Bachelor of Science in Cybersecurity BSc (Online), takes viewers inside a real-life ransomware case. He walks through the 2025 attack on Marks & Spencer (M&S), one of the most significant incidents reported in the UK in recent years. The attack involved the ransomware group DragonForce and caused weeks of disruption. It also demonstrates how human decisions, technical vulnerabilities, and attacker strategy intersect.

We are going to build on that session by explaining how ransomware works, how this specific attack unfolded, and what cybersecurity teams look for when investigating complex incidents. You will also learn how a degree such as the Bachelor of Science in Cybersecurity BSc (Online) prepares you to understand real threats and respond to them confidently.

What is ransomware, and why is it so damaging?

Ransomware is a type of malicious software designed to block access to important data until a ransom is paid. When ransomware enters a system, it searches for valuable files, encrypts them, and prevents normal use. The organisation then faces a simple but severe problem: It cannot access the data it needs to operate.

In practice, this means disrupted services, stalled operations, and significant financial loss. Even well-resourced organisations can struggle to recover from a major attack because the damage affects every part of their digital environment.

Modern ransomware groups now use more complex methods. Many attacks involve double extortion, where attackers steal data before encrypting it, thereby holding it for ransom. They then pressure the organisation by threatening to release that data publicly. Some groups take this further by adding harassment, reputational pressure, or distributed denial-of-service (DDoS) attacks. These extra stages create urgency and make recovery harder.

This shift has transformed ransomware into a threat that compromises three core security objectives. It affects availability because systems are no longer usable. It affects confidentiality because attackers can access or leak sensitive information. And it affects trust, because customers and partners expect an organisation to protect their data.

When you consider the scale of these consequences, it becomes clear why ransomware demands serious attention from cybersecurity professionals.

How a ransomware attack unfolds

Although ransomware attacks appear sudden, they usually develop through several stages. This sequence is often referred to as the attack lifecycle. Understanding each stage helps cybersecurity teams predict attacker behaviour, detect unusual activity, and design stronger defences.

The attack lifecycle usually begins with initial access. Attackers need a way into the organisation’s systems. They might send phishing emails, exploit weak passwords, or use a convincing social engineering call to gain trust. Once they find an entry point, they work to remain undetected within the network.

The next stage involves privilege escalation and lateral movement. Attackers increase their level of access to move between systems. They often use legitimate administration tools, such as PowerShell or Remote Desktop Protocol, because these tools appear normal to monitoring systems. This technique is known as “living off the land” and makes detection more difficult.

After this comes data discovery and exfiltration. Attackers identify valuable information and quietly transfer copies out of the network. They often use encrypted tunnels or cloud storage to hide these transfers. From the outside, the organisation may not notice anything unusual.

Only after these steps do attackers deploy the ransomware payload. At that moment, files are encrypted at scale. System access disappears. Ransom notes appear. In many cases, the full impact becomes visible only when everyday services begin to fail.

Cybersecurity professionals often analyse these stages using frameworks such as MITRE ATT&CK. These frameworks help them map attacker actions to known techniques. They also support investigations by showing which systems were affected and how the attackers moved through the environment.

The Marks & Spencer ransomware attack

Between April and June 2025, Marks & Spencer experienced a major ransomware attack involving the DragonForce ransomware toolkit. The M&S incident is one of the most high-profile cyber attacks on a UK retailer in recent years. Reports from security vendors and the media link it to the DragonForce ransomware group and affiliates associated with Scattered Spider. The attack disrupted both online and in-store operations and resulted in significant financial loss. It also highlighted how quickly an attacker can escalate from initial access to full system disruption.

How attackers entered the system

Reports suggest the attack began with a social engineering call. The attackers contacted the IT help desk and impersonated an internal support engineer. Through this call, they requested a password reset for a privileged account. They also convinced the help desk to temporarily disable multi-factor authentication.

These actions provided the attackers with access to internal systems using a valid account. Once inside, they extracted the organisation’s Active Directory database. This file contains user accounts and authentication information. By working on it offline, they were able to recover additional credentials and expand their access.

This early stage of the attack shows how human behaviour can create openings. Even a well-intentioned decision at a help desk can allow attackers to bypass sophisticated security tools.

How attackers moved through the network

After gaining broader access, the attackers moved laterally across M&S systems. They used built-in administration tools and Remote Desktop Protocol to explore the environment. These tools helped them blend in with normal activity. At the same time, they deployed additional malware components to support the final stages of the attack.

They identified systems that held valuable information and quietly exfiltrated customer data. The stolen data included names, dates of birth, home addresses, household details, and order histories. Payment information and passwords were not reported as compromised, but the stolen data still posed risks for customers.

How encryption caused disruption

When the attackers had collected the information they wanted, they deployed the DragonForce Encryptor. This tool is designed to encrypt files, servers, and virtual machines. Once encrypted, these systems become unusable.

The impact was immediate. The M&S online store went offline for around 46 days. Operations in physical stores were also affected. Staff faced delays, systems slowed down, and it became harder to deliver normal services. Financial losses were estimated at approximately £300 million.

The attack demonstrated how quickly availability and confidentiality can be compromised. It also demonstrated how challenging recovery can be once attackers gain prolonged access.

Lessons from the incident

The M&S case highlights several key lessons essential for anyone working in cybersecurity.

1. Social engineering still works. Many organisations focus on technical controls, yet human decisions can still undermine even the strongest systems. Verification processes and user awareness training are essential, especially in teams that reset passwords or manage access.
2. Defence in depth matters. No single security measure can protect an organisation. You need layers of defence that work together to prevent, detect, and respond to attacks. This includes monitoring, patching, strong authentication and careful management of privileged accounts.
3. Backups must be robust and isolated. Backups are one of the strongest defences against ransomware, but only if they are separate from the main network. Isolated backups allow faster recovery and reduce pressure to pay a ransom. They also require regular testing to ensure they function properly when needed.

For further reading on essential protective measures, you can explore Fundamental cybersecurity practices – Protecting yourself and your organisation. If you want to learn more about the field of cybersecurity, read Cybersecurity online: Exploring jobs, career options, salary expectations, and the future of the field.

Why cybersecurity education matters

When you look at the M&S attack step by step, you see why cybersecurity requires a broad skill set. You need to understand operating systems, networks, cryptography, human factors, and attacker behaviour. You also need to analyse evidence, interpret system logs, and evaluate the risks created by each decision an organisation makes.

This complexity is why structured study helps. The Bachelor of Science in Cybersecurity BSc (Online) at Aston University Online introduces you to the full range of topics in the UK Cyber Security Body of Knowledge. You explore areas such as risk management, network and web security, malware, secure system design and human factors. You learn how attacks work, why vulnerabilities exist, and how you can design strategies to reduce risk.

Throughout the programme, you develop practical skills that prepare you for early-career roles. You learn to examine incidents, identify patterns, analyse attacker behaviour and recommend realistic solutions. These skills apply across public and private sectors and support a wide range of cybersecurity careers. You can learn more about those pathways in Is cybersecurity the right career path for you? A comprehensive guide.

Studying cybersecurity with Aston Online

The Bachelor of Science in Cybersecurity BSc (Online) combines academic depth with practical skill development. You study through flexible online learning, which allows you to balance work, life, and study in a manageable way. You move through modules that introduce core technical knowledge and give you opportunities to analyse real case studies. You also develop skills in secure programming, digital forensics, incident response, governance and policy.

By the time you complete your degree, you will understand the systems that support modern organisations and the threats that target them. You will also have the confidence to evaluate incidents and contribute to cyber defence.

What’s next?

To see the Marks & Spencer case explored in full (including a technical breakdown of each attacker step), you can watch the Aston University Online webinar BSc Cybersecurity Deep Dive: A Case Study on DragonForce and the Future of Cyber Defence.

If you want to understand how attackers think and how you can defend organisations against modern threats, the Bachelor of Science in Cybersecurity BSc (Online) is a way into this in-demand industry. You can learn more about the programme on the Aston University Online website or chat to one of our friendly Student Recruitment Advisors.