Cybercriminal Trends and Tactics

For CISOs and business decision-makers, the M&S breach provides several critical lessons about modern cybercriminal motivations and methods. Analysing this incident yields insight into how threat actors are evolving their tactics – and what defenses are most relevant – in 2025 and beyond. Below are key takeaways:

1. Big-Game Ransomware: High Stakes for High Rewards. The attackers went after a prominent target (M&S) knowing that a successful breach would cause maximum business disruption, thereby pressuring the victim to pay a large ransom. This “big-game hunting” approach to ransomware has become standard – criminal gangs choose targets likely to suffer “narrow and deep” impacts that are extremely costly. The retail attacks were estimated to have a total impact up to $592 million, illustrating how lucrative such campaigns can be. The motivation is overwhelmingly financial; even groups with ideological roots (like DragonForce) have pivoted to extortion because the payoff is so high. For CISOs, this underscores that if your organisation is critical to the supply chain or economy, you are a prime target – and you must plan for the worst-case scenario where criminals aim to cripple operations to extort money. Business continuity planning (with backups, failover systems, etc.) is therefore as important as traditional perimeter security.

2. Social Engineering Mastery: Humans are the Weakest Link. The M&S attack vividly demonstrated that sophisticated hackers often bypass technical defenses by targeting human behavior. Posing as trusted IT staff, the attackers exploited human trust to gain initial access. They carefully crafted phishing lures and phone personas, even possibly using AI-driven voice cloning to sound convincing. This trend of AI-powered social engineering is accelerating – attackers can now clone voices and generate personalised phishing messages at scale, making scams harder to spot. Impersonation of helpdesks and support channels is a particularly effective tactic (sometimes called “vishing” or voice-phishing). CISOs should ensure robust verification procedures for any password resets or sensitive requests (e.g., using callback verification or secondary channels). Regular security awareness training is crucial – employees must be drilled to verify identities and spot red flags, even if a request comes from someone claiming to be “IT support”. The old adage holds: trust, but verify.

3. Supply Chain and Third-Party Risk: Hitting One to Breach Many. The entry point through a third-party supplier in the M&S case highlights how attackers target interconnected business ecosystems. By compromising one vendor (TCS), the hackers managed to affect two large retailers at once. This is a classic supply chain attack strategy – breach a smaller partner with weaker security to leapfrog into a bigger prize. We’ve seen this in other contexts (e.g., software supply chain attacks), and it’s now clearly a threat in operational vendor relationships too. CISOs must treat third-party access as an extension of their attack surface. It’s essential to vet vendors’ security practices, limit the access privileges of supplier accounts, and continuously monitor that access for anomalies. In fact, the CMC explicitly noted the need for understanding retailers’ third-party risk exposure, likely how these incidents began. We should assume that attackers will probe our suppliers and contractors for any weak links. Thus, strategies like requiring multi-factor authentication for all vendor logins, conducting periodic security assessments of key suppliers, and having contractual security requirements are increasingly standard. Shared fate means shared responsibility – your partners’ cybersecurity must be scrutinised as closely as your own.

4. Multi-Stage Extortion: Data Theft Ups the Ante. Modern ransomware incidents are not just about encrypting files; they often involve stealing sensitive data and threatening to leak it. The M&S/Co-op attackers exfiltrated customer and employee data, turning the breach into a data breach incident as well. This tactic (dubbed “double extortion”) is intended to pressure victims into paying even if they can restore from backups, because a public data leak would cause further damage. For CISOs, this means that data loss prevention and encryption of data at rest are important mitigations. It’s also a reminder that incident response must include not just IT restoration but also crisis communications and legal preparedness for a potential data breach disclosure. In the M&S case, notifying millions of customers and supporting them (e.g., with forced password resets and credit monitoring if needed) became a huge part of the response. Being prepared for that scenario – with pre-drafted customer communications and a PR strategy – is now a necessity.

5. Focused Targeting: Sector-Wide Campaigns and Hacker Playbooks. The events of spring 2025 revealed that attackers may focus on one industry at a time, reusing successful techniques. Scattered Spider hit multiple UK retailers in succession, then reportedly shifted attention to U.S. retailers and later to the insurance sector. They develop a “playbook” for a specific vertical – understanding common systems, likely vulnerabilities, and even industry lingo to better deceive employees. For retail, this might include knowledge of point-of-sale networks, e-commerce platforms, and distribution systems. The implication for CISOs is that threat actors are learning and adapting per industry. Information sharing within your industry becomes crucial to stay ahead of the attackers’ curve. If a peer organisation is hit, it’s likely not an isolated incident – assume those same attackers may try similar techniques on you. Engage with industry ISACs or trust groups to swap intel in real time. In essence, we must be as collaborative as the attackers are opportunistic.

6. Resilience Matters as Much as Prevention. Finally, a philosophical but important point: even with world-class defenses, breaches can still happen (M&S is a 139-year-old company that surely had security in place, yet it was breached). No organisation is immune, so resilience – the ability to contain damage and recover quickly – is paramount. In M&S’s case, having the courage to disconnect systems early likely prevented worse damage. Their recovery was still arduous, but a complete rebuild could have taken much longer. This underscores that CISOs should invest not only in preventive controls, but also in robust incident response plans, backups, and business continuity drills. The goal is to minimise the “dwell time” of attackers (finding them fast when they break in) and to limit the blast radius (through network segmentation, least-privilege access, etc., which we’ll discuss under Zero Trust). As one expert noted, “resilience isn’t just about prevention, it’s about containment, recovery, and communication”. This holistic approach is what allowed M&S to eventually bounce back and will serve other organisations well when – not if – they face a similar crisis.

In summary, the M&S incident crystallises several trends: targeted ransomware is on the rise; social engineering and third-party attacks are key threat vectors; and strong resilience strategies are as crucial as ever. Armed with these insights, CISOs in retail and other sectors can re-evaluate their security postures against real-world adversary behaviours.

How Peritus Cloud Security Support Proactive Defence

In light of the lessons from the M&S cyberattack and the emerging threat landscape, businesses are rightly asking: How can we stay ahead of these risks and protect ourselves proactively? This is where Peritus Cloud Security comes in. As a specialist in cybersecurity and cloud solutions, Peritus is dedicated to helping organizations strengthen their security posture before a crisis hits, and to respond effectively if one does. We align closely with the needs of mid-market and enterprise teams, offering expertise that addresses exactly the challenges highlighted in this report – from third-party risk to advanced social engineering and Zero Trust implementation.

Here are key ways Peritus Cloud Security can help your business stay proactive and resilient in the face of modern cyber threats:

1. Comprehensive Security Assessments – Know Your Gaps: It all starts with understanding your current risk exposure. Peritus offers in-depth Cyber Security Assessments that evaluate your infrastructure, policies, and controls against industry best practices and emerging threats. We uncover misconfigurations, vulnerabilities, and compliance gaps across cloud and on-premise environments. For example, we can assess whether your Active Directory is hardened against privilege escalation, or if your employee training is effectively combating phishing. In the context of an M&S-style attack, our assessments would flag weaknesses such as lack of MFA on certain accounts, over-privileged vendor logins, or insufficient network segmentation. By identifying these issues proactively, you can remediate them before attackers find them. We provide prioritised recommendations, so you know which high-risk gaps to close first.

2. Third-Party Risk Management – Securing the Supply Chain: Peritus recognises that third-party risk is a top concern for modern businesses. Our Third-Party Risk Management solutions help you institute a robust program to vet and monitor your vendors. We assist in evaluating vendors’ security postures (through questionnaires, audits, or integrating with vendor risk rating tools) and implementing controls for vendor access. Additionally, through our advisory services, we help you establish strict third-party access policies: from setting up separate vendor access portals with MFA, to using Secure Access Service Edge (SASE) and software-defined perimeters that limit what external partners can see and do on your network. By doing so, even if a vendor is compromised, your critical systems remain protected. Our team can also guide you in continuously monitoring supplier connections for anomalies, leveraging our extended detection capabilities (XDR) to watch for suspicious activity coming from partner accounts.

3. Advanced Threat Detection & Response – Stopping Attacks Early: In today’s threat landscape, prevention must be coupled with detection. Peritus provides Extended Detection & Response (XDR) and managed security monitoring services to catch intrusions in real time. We deploy intelligent monitoring across your endpoints, network traffic, cloud workloads, and identity systems. This means if an attacker tries to impersonate an employee or log in from an unusual location, our systems can generate alerts based on that abnormal behavior. We use a combination of rule-based detection and machine learning analytics (yes, the good side of AI) to quickly spot patterns that could indicate a breach – such as a user suddenly accessing large amounts of data at 3 AM, or the same account logging in from two countries within an hour. Our Security Operations Center (SOC) analysts are on call to investigate and help you respond immediately, 24/7. With Peritus’s monitoring, you gain the peace of mind that even if attackers slip past some defenses, they won’t operate undetected for long. Rapid detection significantly limits the damage, as it enables you to contain and eradicate the threat before ransomware fully deploys or data is exfiltrated.

4. Human Risk Management and Training – Fortifying Your First Line of Defense: Technology alone isn’t enough – your people are a crucial layer of defense. Peritus offers Human Risk Management services that include security awareness training, phishing simulations, and even executive cyber coaching. We help cultivate a security-first culture in your organisation. Employees learn how to recognise phishing emails, suspicious calls, and other social engineering ploys (including the latest AI-driven scams). By running realistic simulations, we identify which employees or departments might need extra training or tighter controls, turning the human weakness into strength. We can specifically tailor programs to threats like those seen in the M&S attack – for instance, training helpdesk staff on new verification protocols, or educating all staff on the risks of unsolicited password reset requests. Our approach makes security awareness engaging rather than a checkbox, so your team remains vigilant in the face of ever-evolving attacker tactics.

5. Zero Trust Architecture & Cloud Security – Build Security into Your Core: As businesses modernise and move to cloud and hybrid environments, Peritus specialises in designing and implementing Zero Trust architectures and robust Cloud Security frameworks. We bring deep expertise in Identity and Access Management (IAM) and Privileged Access Management, ensuring that principles like least privilege and continuous authentication are enforced across your IT ecosystem. If you’re looking to implement Zero Trust, our consultants can develop a roadmap and architecture: from segmenting your networks, to deploying solutions like conditional access, single sign-on and MFA everywhere, to setting up micro-segmentation in your cloud (using Cloud Native Application Protection Platforms or third-party tools). We are vendor-agnostic and familiar with leading technologies, meaning we recommend solutions tailored to your stack – be it Microsoft-centric, AWS/Azure cloud, or hybrid. Additionally, our Cloud Security Posture Management services help you reduce misconfigurations in cloud resources (for example, ensuring storage buckets aren’t left open, and that your backup systems are properly isolated from your main network to survive a ransomware attack). By partnering with Peritus to embrace Zero Trust and cloud security best practices, you significantly harden your defenses against breaches like the one M&S experienced.

6. Incident Response Readiness – Be Prepared, Not Panicked: Drawing on lessons from incidents like M&S, Peritus offers services to make sure if the worst happens, you’re ready. Our Cyber Incident Exercising service conducts tabletop simulations and live drills with your team. We walk you through realistic breach scenarios (e.g., a ransomware outbreak) to test your response plans, roles, and decision-making. This way, if a real incident occurs, your team will have muscle memory and confidence in handling it, reducing confusion and delays. We can also assist in developing or refining your incident response plan and playbooks – aligning them with NCSC guidance and international standards. And should you need emergency help, Peritus can serve as a first responder with expert incident handlers to contain and eradicate threats. Think of it as cyber fire-fighting – you hope to never need it, but it’s critical to have a trusted partner on call. By preparing in advance, you’ll fulfill the mantra of “preparation and resilience” that NCSC advocates.

7. Ongoing Advisory and vCISO Support – Strategic Guidance: Security is an ongoing journey. Peritus provides Virtual CISO (vCISO) and ongoing advisory services, which means our seasoned security leaders can work with your executive team to navigate the strategic aspects of cybersecurity. We keep you updated on emerging threats (like new ransomware tactics or AI threats) and compliance requirements, helping you adapt your security strategy proactively. For example, if new regulations emerge post-M&S incident (perhaps mandating certain cyber controls in critical retail), our experts would brief you and help implement necessary measures. We also help you align security initiatives with business goals – turning cybersecurity from a cost center into a business enabler, much as M&S’s CEO framed their accelerated investments as making the company stronger. In essence, we become a trusted partner in your security program’s success, available for consultation whenever needed.

Why Peritus?

In delivering these services, Peritus prides itself on a few principles that set us apart. We offer vendor-neutral advice, ensuring you get solutions that truly fit your needs (not a one-size-fits-all product pitch). Our team comprises senior experts – when you work with us, you interact directly with experienced consultants who have “seen it all,” not junior staff. We move quickly and pragmatically; we know that in business, time is of the essence, especially after something like a cyberattack, so we aim to deliver results fast without sacrificing quality. And importantly, we focus on real-world solutions – as our motto says, “cloud security that works in the real world”. That means we help you implement controls that are practical, managed, and actually improve security rather than just adding complexity.

With Peritus Cloud Security as your ally, you gain not just tools or checklists, but a holistic strategy and the hands-on support to execute it. Whether it’s preventing the next breach through strong preventive measures and training, or preparing to handle incidents with minimal damage, we cover the full spectrum. Our mission is to make sure that your organisation does not become the next headline, and that you can pursue innovation and growth with confidence in your security posture.