When the cash register stops: the attack that paralyzed M&S
In April 2025, the Marks & Spencer (M&S), one of the largest retail chains in the world with operations in dozens of countries, was the target of a large-scale ransomware attack attributed to the group DragonForce. According to publicly released information, the incident took down card payment systems, inventory management, cash operations in hundreds of physical stores, and suspended online shopping for more than three consecutive weeks. Estimated operational losses exceeded £300 million, about R$ 2.2 billion, and personal data of millions of customers, including names, addresses, and purchase history, were exposed.
The case gained widespread international attention not only because of the scale of the losses but also due to the duration of the shutdown. Weeks without online sales, lines and confusion in physical stores, suppliers without communication, and customers without access to their accounts. A company with billion-dollar resources and dedicated IT teams was brought to its knees for weeks on end.
And here arises the question that every business manager should ask: if a network of this size took weeks to recover, how long would it take my company?
What this attack means for smaller companies
It is natural to think that attacks of this magnitude are exclusive to large corporations. In practice, the opposite happens. Small and medium-sized enterprises (SMEs) are preferred targets of ransomware. PMEs são alvos preferenciais de ransomware exactly because they tend to have fewer layers of protection, reduced or non-existent IT teams, and backups that have never been truly tested. According to data collected on trends in cyberattacks using artificial intelligence, attacks are becoming increasingly automated and targeted, which reduces operational costs for criminals and increases the volume of targets hit simultaneously.
In the case of a cyberattack on retail, the impacts are immediate and brutal: cash registers that do not process payments, inventory that does not update, online orders that disappear, customers who cannot be served. For a company with 10 to 200 employees, two or three days in this condition can already compromise the cash flow for the entire month. A week can be irreversible.
The retail, food, and general commerce sector is especially vulnerable because it operates with interconnected systems, a high volume of transactions, and sensitive customer data, three elements that make the attack surface broad and attractive to groups like DragonForce. The cybersecurity for supermarkets and retailers is still treated as a secondary cost in many SMEs, when it should be seen as critical infrastructure, as important as the refrigeration system or the point of sale system.
Another little-discussed point: when customer data is exposed, the consequences go beyond operational issues. There are legal notification obligations (the LGPD in Brazil and equivalent regulations in the US require swift action), potential regulatory fines, and, most importantly, damage to consumer trust that takes months or years to rebuild.
What to do to avoid making headlines
The good news, and it exists, is that most successful ransomware attacks exploit known and avoidable vulnerabilities. Ransomware rarely enters and detonates immediately. There is an internal movement period within the systems, called lateral movement, during which the attacker maps the network, escalates privileges, and positions the malware before activating it. This window can last for days or even weeks, and it is precisely during this window that an active monitoring framework can identify and interrupt the attack before actual damage occurs.
The capabilities that make a difference in practice include:
- Continuous 24/7 monitoring: real-time alerts for anomalous behaviors on the network, such as after-hours access, large data transfers, or attempts at privilege escalation.
- EDR (Endpoint Detection and Response): advanced protection on devices that goes beyond traditional antivirus, capable of identifying behavioral threats even without a known signature.
- Updated patch management: a large portion of attacks enter through vulnerabilities that have already been fixed by software manufacturers but were never applied in the company. Keeping systems updated closes this door.
- Tested recovery backup: having a backup is not enough. It is necessary to know, for sure, that it works. Regular restoration tests ensure that, in the event of an attack, the recovery time is measured in hours, not weeks.
- Network segmentation: separating critical systems (such as POS, inventory, and finance) into isolated segments limits the blast radius of a potential attack, preventing it from spreading throughout the entire infrastructure.
A well-structured business continuity plan (BCP) complements these technical layers, ensuring that the team knows exactly what to do in the first hours of an incident, whom to contact, and which systems to prioritize for restoration.
Strategic question for the decision-maker
If tomorrow morning your company's systems woke up encrypted, how long would it take you to resume operations, and how much would it cost?
This answer should be documented, tested, and known by all company leadership before the question becomes real. A managed IT provider with 24/7 monitoring capability, active EDR, patch management, and regularly tested backup recovery transforms this answer from uncertain to concrete. Instead of weeks of downtime and million-dollar losses, the scenario shifts to containment in hours and controlled restoration, with clear communication to customers, suppliers, and the team.
A ransomware protection is no longer a matter of company size. It is a matter of preparedness. And the right preparedness, with the right layers, is within reach of SMEs of all sizes. The case of M&S is a heavy reminder, but it is also an opportunity to review, strengthen, and act before the unexpected arrives.
References
- World Economic Forum, 2026 Cyberthreats to Watch and Other Cybersecurity News
- All About AI, AI Cyberattack Statistics and Trends
Want to know if your company would be prepared for a scenario like M&S? Talk to the Zamak team at zamakt.com/contactus and schedule a complimentary Initial Consultation, with no obligation.