“Everything I have heard points towards these attacks starting with an old chestnut”

When it comes to icons of the British high street, they don’t come much bigger than Marks & Spencer. Even if you aren’t a lady of a certain age keen on getting a new girdle at the same time as buying some expensive tomatoes, the fact that M&S has been hit by ransomware attackers should worry you. Especially when another huge name in retail, the Coop, fell to the same attackers soon after. It remains unclear if the same group was responsible for both, although it does appear to have made that claim.

The final member of this very British retail trio, Harrods, has said that it was also targeted, but a spokesperson confirmed it “immediately took proactive steps to keep systems safe” by restricting internet access to impacted sites.

I'm taking the unusual step of devoting my entire column this month to these attacks. In particular, investigating the group behind them and the methods employed, and sharing mitigation advice that stretches beyond the retail sector to help prevent all organisations becoming another ransomware victim.

The attacks...

We will, no doubt, have to wait many months for the results of the ongoing official investigations by the stores and law enforcement to become public. Even then, I can’t predict the level of technical disclosure. That doesn’t stop me from conducting some investigative digging of my own, with the help of industry colleagues, and getting a reasonably good idea of what happened in terms of attack methodology.

So let’s start there, shall we? Everything I have heard has pointed towards these ransomware attacks starting with an old chestnut. One that has become the vinegar-soaked, oven-baked, resin-coated conker of initial access tactics: the IT helpdesk impersonation scam.