Marks & Spencer (M&S), a prominent UK retailer, fell victim to a coordinated ransomware attack linked to the DragonForce cartel and its affiliate Scattered Spider. The incident involved the deployment of DragonForce-built ransomware, leveraging Conti’s leaked source code with advanced encryption (ChaCha20 + RSA) and network-spreading capabilities via SMB. The attack targeted both local and shared network storage, with operators threatening to delete decryptors and leak stolen data if ransom demands were unmet by deadlines (September 2 and 22).The breach disrupted M&S’s operations, risking customer data exposure, financial fraud, and reputational damage due to media coverage. DragonForce’s cartel model—recruiting affiliates like Devman and Scattered Spider—amplified the attack’s sophistication, combining initial access tactics with aggressive data exfiltration. While the full scope of compromised data (e.g., payment details, personal records) remains undisclosed, the incident aligns with DragonForce’s pattern of high-impact extortion, including threats to publish sensitive information. The attack underscores the escalating risks posed by ransomware-as-a-service (RaaS) ecosystems, where collaborative cybercriminal groups exploit enterprise vulnerabilities for maximal disruption and profit.