Retailers v Ransomware: Round 2025

Retailers like M&S and Co-op have recently been targeted by ransomware attacks - shining a spotlight on common weaknesses in modern infrastructure. In this blog, one of our penetration testers takes you behind the headlines to uncover what really makes retailers vulnerable, and how you can defend against it.

Retailers v Ransomware: Lessons from the Front Lines

Organisations have been facing ransomware threats since 1989, when the first recorded ransomware attack - the PC Cyborg Virus - encrypted 20,000 floppy disks at the World Health Organisation AIDS Conference. Victims were asked to send $189 to a PO box in Panama to regain access to their files.

Since then, ransomware attacks have grown in severity, complexity, and frequency, becoming one of the biggest cyber threats modern organisations face. M&S and Co-op are among the latest retailers to be hit by a suspected ransomware attack in April 2025, but they are far from alone - many other well - known organisations have suffered high - profile ransomware incidents since the technique's inception.

Like all attacks, success rates vary, but studies show that over half of breached UK organisations have paid ransom demands - only to be targeted again by the same threat actors. Clearly, ransomware isn’t disappearing anytime soon, nor is it losing popularity among cybercriminals. If ransomware attacks are expected to persist, organisations must understand the threat and adopt stronger defences against it.

Why Retailers Are Prime Targets

To begin with, it's crucial to examine what threat actors target when attacking retailers. Many organisations operate with limited external - facing systems, but retailers rely on point-of-sale (POS) systems - the self - checkout devices used daily. While convenient, POS systems also increase exposure to an organisation's network and sensitive data, especially if they run insecure software or unsupported operating systems.

POS systems are deeply integrated into inventory databases, payment processors, and customer loyalty programs - making them valuable attack points. If cybercriminals successfully exploit a vulnerable POS, they gain a foothold that can be used to launch a ransomware attack, steal sensitive data, and disrupt operations. Securing POS infrastructure is critical to preventing escalation.

Beyond POS Security: Internal Weaknesses

Strengthening POS systems alone isn’t enough to defend retailers from ransomware. The recent M&S attack highlights how internal security misconfigurations can facilitate ransomware attacks. Reports suggest that threat actors compromised the NTDS.dit file, which stores all domain user account names and password hashes, enabling them to access high - privileged accounts and execute ransomware across the network.

While predicting how attackers operate helps organisations understand potential threats, the focus should be on preventative action. To reduce ransomware risk, organisations must follow modern security practices, including:

• Training employees to identify social engineering and phishing attempts.
• Implementing secure file transfer policies to reduce the likelihood of malware execution.
• Using strong password policies and multi - factor authentication.
• Perform periodic security assessments and adversary simulations to observe how they would respond to these threats.

Network Segmentation: A Key Defence

No defence is 100% effective, and a persistent threat actor may eventually succeed in running malware within a target environment. However, properly implemented network segmentation can severely limit an attack’s impact - or neutralize it entirely.

Take a scenario where a cybercriminal aims for full domain compromise - without segmentation, they could gain broad access across systems. But with strong network isolation, their breach could result in nothing more than controlling a smart fridge in a garage. If that fridge is segmented from critical systems, the worst outcome might be melting someone's ice cream rather than compromising an entire network.

When segmentation is weak, organisations must rely on internal security configurations, ensuring no privilege escalation scenarios exist. As demonstrated in the M&S attack, recovering the NTDS.dit file was made possible due to security misconfigurations, which ultimately led to the ransomware deployment.

Strengthening Retail Cybersecurity

To combat ransomware, more professional cybersecurity services are emerging - offering:

• Network segmentation testing to identify weaknesses.
• Privilege escalation assessments to minimize high - risk misconfigurations.
• Comprehensive adversary simulations following the MITRE ATT&CK framework - allowing organisations to replicate an attack, assess responses, and strengthen defences before a real breach occurs.

This level of assurance testing enables retailers to understand their vulnerabilities and improve response strategies, ultimately reducing the likelihood of a successful ransomware attack.

Final Thoughts

Ransomware isn’t going away, nor is it becoming less effective. To close, I want to reference a quote that perfectly encapsulates the ongoing cybersecurity battle:

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”― Sun Tzu, The Art of War.

This quote sums up the modern world vs organised cybercriminals - until organisations truly understand how attackers operate, their tactics, and how to respond, cybercriminals will maintain the upper hand in the ransomware war for years to come.

Ready to understand how ransomware could target your business?

We offer hands-on testing, configuration reviews, and red team simulations designed to reveal weaknesses before attackers do.

📞 Talk to a security consultant today:
+44 (0)161 513 0960
✉️ actnow@secarma.com

Or explore our services:
🔗 Red Teaming
🔗 Cloud & Configuration Reviews
🔗 Cyber Security Maturity Assessment

Want to dig deeper?

Start with one of our free tools designed to help you identify your weakest link before an attacker does:

Take the Cyber Security Quick Check – a short, practical assessment to get a pulse on your organisation’s current defences.

Download our Weakest Link guide – full of actionable insights to strengthen overlooked areas of your security posture.