Ransomware Groups Allegedly Breach IT Networks, Stealing Data from UK Retailers

A notorious ransomware group dubbed DragonForce has claimed responsibility for a series of cyber attacks targeting major UK retailers, with Co-op now confirming a significant data breach affecting its membership database.

The attacks, which also targeted Marks & Spencer and Harrods, highlight escalating threats against the retail sector and have prompted government warnings about cybersecurity priorities.

Co-op has admitted that hackers “accessed and extracted data from one of our systems” containing “information relating to a significant number of our current and past members”. 

DragonForce Leaks Co-op Customer Database

The retailer initially downplayed the incident, stating it was having only a “small impact” on operations. 

However, the DragonForce ransomware group contacted the BBC with evidence of the breach, sharing databases containing membership card numbers, names, addresses, emails, and phone numbers of customers.

“This data includes Co-op Group members’ personal data such as names and contact details, and does not include members’ passwords, bank or credit card details, transactions or information,” Co-op clarified in its statement.

Security experts believe the attackers used sophisticated social engineering techniques to gain initial network access. 

The hackers likely posed as IT helpdesk staff to trick employees into revealing credentials or authentication codes. After gaining access, they targeted the company’s Active Directory database (NTDS.dit), which stores encrypted credentials for all domain users.

Once sufficient privileges were obtained, the attackers prepared for full system encryption. 

DragonForce affiliates typically employ a technique called “Bring Your Own Vulnerable Driver” (BYOVD) to disable security software by loading legitimate but vulnerable kernel drivers.

To prevent system recovery, the attackers likely deleted Volume Shadow Copies, hindering data recovery efforts and increasing pressure to pay the ransom.

Multiple UK Retailers Under Attack

DragonForce has also claimed responsibility for the ongoing attack on Marks & Spencer, which has disrupted online sales and in-store operations, and an attempted breach at Harrods. 

M&S’s compromise reportedly began as early as February 2025, with attackers quietly extracting password hashes and re-entering the network over subsequent weeks using legitimate Windows logins.

The ransomware group operates a “cartel” model, recruiting affiliate hackers who receive 80% of any ransom payments while DragonForce provides the infrastructure, leak site, and payment negotiation services.

Co-op is currently working with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) to investigate the breach. 

In response to these incidents, Cabinet Office Minister Pat McFadden will deliver a keynote speech at the CyberUK conference emphasizing that “companies must treat cyber security as an absolute priority”.

Co-op has implemented additional security measures, including requiring staff to keep cameras on during remote meetings and verify all participants to prevent hackers from infiltrating calls. 

The company has disabled remote access and restricted some IT systems. This series of attacks highlights the evolving threats retailers face.

As DragonForce continues to operate its ransomware-as-a-service model, security experts warn that similar attacks are likely to increase, particularly against organizations with valuable customer databases and potentially vulnerable IT infrastructure.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates

The post Ransomware Groups Allegedly Breach IT Networks, Stealing Data from UK Retailers appeared first on Cyber Security News.