In recent months, a wave of cyberattacks targeting retail enterprises in the UK has highlighted a disturbing trend: Attackers are evolving beyond traditional malware and ransomware campaigns.
A new class of adversaries—young, well-coordinated, English-speaking cybercriminal collectives—is redefining how high-value intrusions are executed. Their tactics blend technical expertise with advanced social engineering, resulting in devastating consequences for even the most mature enterprises.
This blog unpacks the adversary tactics, their attack paths, and most importantly, what every retail organisation must do to stay ahead.
Who Are These Adversaries?
Recent attack patterns point to a group often dubbed by the threat intel community as Scattered Spider (aka UNC3944, Muddled Libra). These groups operate in loose affiliate models, often leveraging Ransomware-as-a-Service (RaaS) group, most likely DragonForce, enabling white-labelled Ransomware based extortion campaigns.
How did they break in?
The weakest link in every enterprise are the humans and these adversaries are not relying on brute-force tools or vulnerability exploits, they’re exploiting trust for Initial Access, perform privilege escalation and laterally move inside the network and encrypt critical systems.
Adversaries Tactics & Techniques
Below is the predicted TTP leveraged by the threat actor.
Initial Access
- Mainly through social engineering and various forms of Phishing like SMISHING (SMS Phishing) & Vishing (Voice Phishing), wherein they impersonate an IT administrator to perform password reset.
Account Discovery
- With reset password and username in hand, adversaries would persist using valid accounts. Valid accounts are then leveraged to perform account discovery.
Credential Access
- Scattered Spider (famed adversaries and cyber attackers) use MFA fatigue attacks, wherein end users get multiple MFA requests thereby defeating MFA protection.
- Once they gain access to privilege accounts, adversaries dump the AD’s database file NTDS.dit file from the domain controller. The database has hashed passwords, and the adversaries use hashkiller and other offline methods to obtain accounts for lateral movement.
Lateral Movement
- Adversaries laterally move into the network with the cracked passwords, through existing remote systems to gain access to critical systems.
Privilege Escalation
- As the adversaries also have access to the VMWare / Hypervisors, they gain domain / infrastructure level access either through Valid accounts, Domain accounts, Use Pass-the-hash or Windows Admin shares.
Data Exfiltration
- While they exfiltrate NTDS.dit file, there could be scenarios of data exfiltration. However, this is not yet been officially confirmed.
Impact
- The scattered spider deployed DragonForce ransomware encryption on the VMWare systems resulting in widespread outages.
The below diagram gives the possible visual mapping of the Tactics & Techniques with approximate order of the ATT&CK sequence.
What does the Attack Chain reveal?
While the initial access is through Phishing, there are multiple layers of security controls within the NIST’s PROTECT & DETECT framework that adversaries need to traverse to perform their final ACT. Final Act could be Data Exfiltration / Data Encryption, depending on the adversaries’ motives. Even Nation State Attackers and APTs leave multiple breadcrumbs before the final ACT happens.
Impact on the organisations:
The implications of such an attack aren’t limited to technical recovery. Organisations face:
- Revenue loss from operational disruption
- Market capital impact in publicly listed entities
- Prolonged recovery of business-critical applications
While writing the blog, we still do not have full details of their impact on the organisations as this is an on-going activity.
Recommendations:
Tactical Recommendations for Enterprises
Protect
- Harden identity verification at helpdesk: Block external impersonation attempts via communication platforms like Teams or Slack.
- Implement FIDO2-based MFA (phishing-resistant, password less).
- Enforce Privileged Access Management (PAM) with:
- Vaulting of domain admin credentials
- Password rotation
- Session recording
Detect
- Tune SIEM to detect:
- AD database dumping (e.g., ntds.dit)
- Unusual access patterns using Event IDs 4688, 4624, 4672
- Deploy User & Entity Behavior Analytics (UEBA)
- Monitor for MFA fatigue patterns and brute force anomalies
- Perform East-West traffic monitoring
- Integrate ITDR (Identity Threat Detection & Response) for Identity based attacks
- Roll out phishing simulation and training
Respond & Recover
- Conduct regular Tabletop Exercises simulating ransomware attacks
- Perform Red Teaming and Breach & Attack Simulation
- Invest in Dark Web Monitoring as a Service to detect early chatter about stolen credentials or impending attacks
Strategic Recommendations for Enterprises
- Build a Zero Trust framework - remove reliance on perimeter-based defences
- Build micro-segmentation and create isolated network segments and minimize attack surface of the enterprise
- Introduce Continuous Threat Exposure Management (CTEM) and model attack paths and prioritize fixes
- Deploy Cyber Recovery Vaults for clean backups
What Forward-Thinking Security Leaders Must Do
Today’s adversaries are blending social engineering with technical escalation in a way that can bypass even the most advanced EDR platforms. This is not just a cyber risk—it’s an enterprise risk. Work on the premise of “Assume Breach with your enterprise”
Proactive CISOs must:
- Shift from compliance-led to threat-led security programs
- Break silos between identity, infrastructure, and application security
- Enable early detection through contextual signals (identity + behaviour + asset criticality)
How Mastek Can Help
- Conduct enterprise risk assessments aligned to ISO 27001, DORA, NIST CSF
- Offer Dark Web Monitoring as a Service, including takedown assistance
- Build custom threat detection content for SIEM/SOAR
- Implement Zero Trust Architecture, SSO/MFA, and CTEM programs
- Simulate real-world ransomware events and prepare your cyber recovery posture
Final Word
It’s no longer a question of if you’ll be targeted—but whether you’ll be prepared enough to detect and disrupt the breach before it escalates. These attacks are not random. They are intelligent, socially aware, and financially devastating.
Now is the time to upgrade your defence posture, validate your assumptions, and harden your environment—because the next breach is already in someone’s inbox.