Stay Updated Icon

Subscribe to Our Tech & Career Digest

Join thousands of readers getting the latest insights on tech trends, career tips, and exclusive updates delivered straight to their inbox.

Co-op Cyber Attack: How Proactive Defense Thwarted Ransomware, According to Hackers

7:14 AM   |   19 May 2025

Co-op Cyber Attack: How Proactive Defense Thwarted Ransomware, According to Hackers

Co-op Cyber Attack: How Proactive Defense Thwarted Ransomware, According to Hackers

In the ever-escalating digital battleground, retailers find themselves increasingly in the crosshairs of sophisticated cybercriminal groups. The recent incident involving the UK supermarket giant Co-op serves as a compelling case study, not just in the pervasive threat of ransomware and data breaches, but also in the critical importance of rapid, decisive incident response. While the attackers claimed a degree of success in accessing the network and potentially stealing data, their primary objective – the crippling deployment of ransomware – was allegedly thwarted by Co-op's own actions.

According to the hackers who claimed responsibility, the cyberattack that targeted Co-op last month could have inflicted far greater damage. Their narrative, shared in a letter to the BBC, paints a picture of frustration. They assert that Co-op's IT team “yanked their own plug – tanking sales, burning logistics, and torching shareholder value.” This drastic, proactive measure, they claimed, meant their network “never ever suffered ransomware.”

This statement from the alleged attackers is highly revealing. It suggests that while they had established a foothold within Co-op's network, they were prevented from executing the final, most destructive phase of their attack: encrypting systems and demanding a ransom for their decryption. The Co-op's decision to take systems offline, though disruptive, effectively created a barrier that the ransomware could not cross.

Raghu Nandakumara, Head of Industry Solutions at data centre security company Illumio, echoed this sentiment in comments to TechRepublic. He noted that Co-op's “decision to proactively shut down parts of its IT systems following a cyber threat, whilst keeping essential business operations running, is a strong example of an effective containment strategy in action.” He contrasted this with the plight of many organizations that are “forced to halt operations entirely after attacks,” suggesting Co-op managed to protect its “most critical services and maintained business continuity” to a significant degree, despite the disruption.

The Dual Threat: Data Exfiltration and Ransomware

While the ransomware deployment was reportedly unsuccessful, the hackers claimed they had “spent a while seated in (Co-op’s) network” before being detected. During this period, they allegedly stole data belonging to a staggering 20 million customers. The types of data claimed to be exfiltrated included names, contact details, and dates of birth. Co-op, however, has not confirmed the number of impacted customers and stated that they do not believe sensitive financial information such as passwords, bank or credit card details, transactions, or purchase history was accessed.

This highlights a crucial distinction in modern cyberattacks: the threat is often twofold. Attackers frequently seek to both encrypt systems for ransom and steal sensitive data for potential sale on the dark web or for use in future attacks. Even if the ransomware phase is prevented, the data breach itself can have significant consequences, including regulatory fines, reputational damage, and the cost of notifying and supporting affected individuals.

Co-op detected the attempted attack late in the month and publicly disclosed it on April 30th. Their statement indicated that data was taken from one of their systems. Following this discovery, they took the critical step of restricting access to further systems. This action, as they explained in their cyber attack FAQs, helped to “contain the issue and protect our wider organisation.”

However, proactive containment, especially on the scale required to isolate potentially compromised systems in a large retail network, is not without its costs. The action inevitably impacted Co-op’s supply chain, leading to visible consequences for customers, such as empty shelves in some stores. It also caused disruptions to payment systems, with card payments failing in some locations, and affected customer support services, including call centers and order tracking. These are the “tanking sales, burning logistics, and torching shareholder value” that the frustrated attackers referenced – consequences triggered by the defense, not the attack itself.

A Tale of Two Retailers: Co-op vs. M&S

The Co-op incident provides a stark contrast when compared to the experience of another major UK retailer, Marks & Spencer (M&S), which reportedly faced a similar cyber incident just days prior. While Co-op's recovery operation took over two weeks, M&S's disruption began over the Easter weekend and, at the time of reporting, had still not fully recovered months later.

M&S has been less specific about the nature of its “cyber incident,” but sources cited by BleepingComputer suggested the root cause was a ransomware attack that began as early as February, resulting in the theft of personal customer data. The prolonged impact on M&S, including suspended online orders and ongoing issues with stock and contactless payments in some outlets, underscores the difference a successful ransomware deployment makes. When systems are encrypted, the path to recovery is often significantly longer and more complex, typically involving restoring from backups (if they are clean and accessible) or, in some cases, controversially paying the ransom.

The comparison between Co-op and M&S serves as a powerful illustration of the value of a well-rehearsed incident response plan that prioritizes containment. While Co-op suffered disruption and a potential data breach, they avoided the full paralysis that ransomware can inflict, enabling a relatively faster path back to normal operations compared to the months-long struggle reported by M&S.

Profiling the Alleged Attackers: DragonForce and Scattered Spider

The hackers claiming responsibility for the Co-op and M&S attacks identified themselves as being from the ransomware-as-a-service (RaaS) group DragonForce, stating they used the DragonForce encryptor. While their specific identities remain unconfirmed, cybersecurity researchers and sources speaking to BleepingComputer suggested they are likely affiliated with or members of the notorious Scattered Spider threat actor collective.

Understanding these groups is crucial to grasping the nature of the threat faced by retailers and other sectors. DragonForce operates on the RaaS model, meaning they develop or acquire ransomware tools and infrastructure, which they then lease or sell to affiliates. These affiliates carry out the actual attacks, and the RaaS operator typically takes a percentage of any successful ransom payment. This model lowers the barrier to entry for cybercriminals, allowing individuals or smaller groups to deploy sophisticated ransomware without needing the technical expertise to develop it themselves.

Scattered Spider, also known by various other monikers such as UNC3944, is not a single, monolithic gang but rather a loosely affiliated collective of threat actors. They are particularly known for their mastery of social engineering tactics. Their methods often involve:

  • Phishing Attacks: Crafting convincing emails or messages to trick employees into revealing credentials or downloading malware.
  • SIM Swapping: Taking control of a victim's mobile phone number by tricking their carrier into transferring it to a SIM card controlled by the attacker. This can bypass SMS-based multi-factor authentication (MFA).
  • Multi-Factor Authentication (MFA) Bombing/Fatigue: Repeatedly sending MFA push notifications to a target's device in the hope that they will eventually accept one out of annoyance or confusion, thereby approving the attacker's login attempt.
  • Help Desk Impersonation: Calling company help desks and impersonating employees to reset passwords or gain access to accounts.

Scattered Spider actors are known for their agility and ability to pivot between different initial access methods. They have been linked to high-profile ransomware operations, acting as initial access brokers or affiliates for groups like RansomHub and the now-disbanded BlackCat (ALPHV). Some reports suggest that members of Scattered Spider are relatively young, with some allegedly being teenagers who coordinate their activities on platforms like Discord, Telegram, and various hacker forums.

The alleged involvement of DragonForce/Scattered Spider in the Co-op and M&S incidents, alongside a reported attempted attack on luxury department store Harrods shortly after, indicates a focused targeting of the UK retail sector by these sophisticated actors. This follows other significant incidents, such as the ransomware attack impacting Sainsbury's and Morrisons in December, which stemmed from a compromise of their shared supply chain software provider, Blue Yonder.

Why Retailers Are Prime Targets

The retail sector presents an attractive target for cybercriminals for several reasons:

  • Vast Amounts of Customer Data: Retailers collect and store extensive personal and financial information, making them lucrative targets for data theft.
  • Complex Supply Chains: Modern retail relies on intricate supply chains, often involving numerous third-party vendors. A compromise at any point in this chain can have cascading effects, as seen with the Blue Yonder incident.
  • Dependency on IT Systems: Operations, from inventory management and logistics to point-of-sale systems and e-commerce platforms, are heavily reliant on IT infrastructure. Disrupting these systems can quickly halt business and cause significant financial losses.
  • Payment Systems: Handling large volumes of transactions makes retailers targets for financial fraud and payment card data theft.
  • Public Profile: High-profile attacks on well-known brands generate significant media attention, which some ransomware groups leverage for pressure tactics.

These factors create a fertile ground for ransomware attacks, where the potential for disruption and the value of the data held can increase the likelihood of a ransom payment.

Lessons Learned from the Co-op Incident

The Co-op cyberattack, particularly when contrasted with the M&S experience, offers valuable lessons for organizations across all sectors, but especially for those in retail and other critical infrastructure areas:

  1. Proactive Containment is Key: Co-op's decision to take systems offline, though disruptive, appears to have prevented the worst-case scenario of widespread ransomware encryption. Having a pre-defined, well-practiced incident response plan that includes steps for rapid containment and isolation of potentially compromised systems is crucial.
  2. Speed of Detection Matters: The ability to quickly detect malicious activity within the network is paramount. Early detection allows for faster containment, limiting the attackers' dwell time and their ability to move laterally, exfiltrate data, or deploy ransomware.
  3. Understand Your Critical Systems: Identifying and prioritizing critical business systems is essential for effective incident response. Co-op reportedly managed to keep some essential services running, suggesting they had a degree of segmentation or a clear understanding of which systems needed to be protected or restored first.
  4. Data Exfiltration is a Separate Threat: Even if ransomware is thwarted, data theft remains a significant risk. Organizations must focus on data security, including encryption, access controls, and monitoring for unusual data egress.
  5. Supply Chain Security is Vital: The Blue Yonder incident impacting Sainsbury's and Morrisons highlights the vulnerability introduced by third-party vendors. Organizations must vet their suppliers' security practices and understand the risks inherent in their supply chain.
  6. Prepare for Disruption: Even a successful defense can cause significant operational disruption. Business continuity and disaster recovery plans must account for scenarios where systems are intentionally taken offline or impaired.
  7. Know Your Adversaries: Understanding the tactics, techniques, and procedures (TTPs) of groups like Scattered Spider and RaaS operators like DragonForce can help organizations implement more effective defenses and detection mechanisms.
  8. Communication is Challenging but Necessary: Communicating effectively with customers, employees, and the public during a cyber incident is difficult but vital for maintaining trust and managing reputation.

Strengthening Retail Cybersecurity Defenses

To mitigate the growing threat, retailers and other businesses should focus on a multi-layered security strategy:

  • Robust Access Controls and Authentication: Implement strong password policies, multi-factor authentication (MFA) for all critical systems and remote access, and principle of least privilege.
  • Network Segmentation: Divide the network into smaller, isolated segments. This limits attackers' ability to move laterally if they breach one part of the network.
  • Regular Backups and Recovery Plans: Implement a comprehensive backup strategy, ensuring backups are stored securely, offline or in an immutable state, and regularly tested for restoration.
  • Endpoint Detection and Response (EDR) / Extended Detection and Response (XDR): Deploy advanced security solutions on endpoints and across the network to detect and respond to malicious activity in real-time.
  • Threat Intelligence: Stay informed about the latest threats, vulnerabilities, and TTPs used by relevant threat actors.
  • Employee Training: Regularly train employees on cybersecurity best practices, including recognizing phishing attempts and the importance of reporting suspicious activity. Social engineering remains a primary vector for initial access.
  • Incident Response Planning and Tabletop Exercises: Develop a detailed incident response plan and conduct regular tabletop exercises to simulate attacks and test the plan's effectiveness, involving relevant teams (IT, legal, communications, executive leadership).
  • Vulnerability Management and Patching: Regularly scan for vulnerabilities and apply patches promptly to close known security gaps.
  • Supply Chain Risk Management: Assess the cybersecurity posture of third-party vendors and establish clear security requirements in contracts.
  • Data Security and Privacy: Implement measures to protect sensitive customer data, including encryption at rest and in transit, and comply with relevant data protection regulations (like GDPR in the UK/EU).

The UK government is also taking steps to enhance national cyber resilience, with proposals like the new Cyber Security Resilience Bill aiming to tighten rules for critical infrastructure providers, which could include large retailers.

Conclusion

The Co-op cyber incident serves as a stark reminder that no organization is immune to the threat of sophisticated cyberattacks. While the potential data breach is concerning, Co-op's reported success in preventing the full deployment of ransomware through proactive measures offers a valuable lesson in resilience. The frustration expressed by the alleged attackers underscores the effectiveness of decisive containment strategies, even if they come at the cost of temporary operational disruption.

The involvement of groups like DragonForce and Scattered Spider highlights the evolving nature of cybercrime, characterized by RaaS models and sophisticated social engineering tactics. As the digital threat landscape continues to evolve, the ability of organizations to detect threats early, respond rapidly and effectively, and prioritize the protection of critical assets will be paramount in mitigating the impact of future attacks. The Co-op case, while challenging for the retailer and its customers, provides a real-world example of how preparedness and swift action can make a critical difference in the face of a determined adversary.