blog post  Download / Print article PDF ##### ShareCopied to clipboard ##### Share##### Facebook##### Linkedin##### X##### Copy LinkCopied to clipboard ##### Share##### Facebook##### Linkedin##### X##### Copy LinkIncidents impacting retailers — recommendations from the NCSC==============================================================A joint blog post by the NCSC’s National Resilience Director, Jonathon Ellison, and Chief Technology Officer, Ollie Whitehouse. Jonathon Ellison, Ollie Whitehouse Invalid DateTime  Sorbetto via Getty Images A pervasive threat——————Cyber criminality, including extortion and ransomware, is one of the most pervasive cyber threats facing UK organisations. It affects organisations of all sizes — from the largest, to the very smallest. No-one is immune from this threat; it is both opportunistic and indiscriminate.Criminals continue to adapt their business models to gain efficiencies and maximise profits, including a clear shift towards ‘ransomware as a service’ where criminals — often with little technical knowledge or skill comparably — are able to launch attacks using pre-developed tools. This includes tailoring their methods of attack depending on what is most likely to yield the most significant payments.We all have first-hand knowledge of how devastating attacks can be for victims — with real-world impacts on society, on business, and on individuals. Recovery can be lengthy. And costly. *** ** * ** ***Recent attacks on the retail sector———————————–The NCSC is working with organisations affected by the recent incidents to understand the nature of the attacks and to minimise the harm done by them, including by providing advice to the wider sector and economy.Whilst we have insights, we are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all. We are working with the victims and law enforcement colleagues to ascertain that.We are also sharing what we know with the companies involved, and the wider sector, through our sector-focussed Trust Groups run by the NCSC, and encouraging companies to share their experiences and mitigations with each other.There are still a lot of unknowns. But there is also a lot we do know. *** ** * ** ***So what?——–Preparation and resilience does not mean just having good defences to keep out bad actors. No matter how good your defences are, sometimes the attacker will be successful.It also means being able to detect threat actors when they are using your employees’ legitimate access, are on your network, in your cloud services whilst being able to contain attackers to prevent damage and being able to respond and recover when an attack has got through your defences. There has been some speculation in the press that at least some of these incidents have been carried out by a group known as ‘Scattered Spider’, as well as discussion about whether social engineering had been used by threat actors targeting IT helpdesks to perform password and MFA (multi-factor authentication) resets, a technique that the group has been reported to use in the past.We have provided specific guidance to the sector. But we believe by following best practice, all companies and organisations can minimise the chances of falling victim to actors like this.As well as following our guidance (including that listed under [Mitigating malware and ransomware attacks – NCSC.GOV.UK](/guidance/mitigating-malware-and-ransomware-attacks#actionstotake ‘Mitigating malware and ransomware attacks’)), organisations are strongly encouraged to:* ensure [2-step verification (multi-factor authentication)](/guidance/setting-2-step-verification-2sv ‘Setting up 2-step verification’) is deployed comprehensively* enhance monitoring against unauthorised account misuse. For example, looking for ‘Risky Logins’ within Microsoft Entra ID Protection, where sign-in attempts have been flagged as potentially compromised due to suspicious activity or unusual behaviour, especially where the detection type is ‘Microsoft Entra Threat intelligence’* pay specific attention to Domain Admin, Enterprise Admin, Cloud Admin accounts and if access is legitimate* review Helpdesk password reset processes – how IT desk authenticates staff members credentials before resetting passwords, especially those with escalated privileges* ensuring your security operation centres can identify logins from atypical sources such as VPNs services in residential ranges through source enrichment and similar; and* ensure that you have the ability to consume techniques, tactics and procedures sourced from threat intelligence rapidly whilst being able to respond accordingly.Criminal activity online — including, but not limited to, ransomware and data extortion — is rampant. Attacks like this are becoming more and more common. And all organisations, of all sizes, need to be prepared. |  | Back to top |  | Download / Print article PDF || ##### Share|| Copied to clipboard || ##### Share|| || ##### Facebook|| || ##### Linkedin|| || ##### X|| || ##### Copy Link|| Copied to clipboard || ##### Share|| || ##### Facebook|| || ##### Linkedin|| || ##### X|| || ##### Copy Link||  || ##### Written By|| Jonathon Ellison|| NCSC Director of National Resilience |  || ##### Written By|| Ollie Whitehouse|| Chief Technology Officer (CTO), NCSC | * || ##### Published|| * 4 May 2025| *|| ##### Part of blog|| * [NCSC publications](/section/keep-up-to-date/ncsc-blog)|  || ##### Written By|| Jonathon Ellison|| NCSC Director of National Resilience |  || ##### Written By|| Ollie Whitehouse|| Chief Technology Officer (CTO), NCSC| * || ##### Published|| * 4 May 2025| *|| ##### Part of blog|* [NCSC publications](/section/keep-up-to-date/ncsc-blog)  Back to top
Related Tags:
Octo Tempest
NAICS: 712 – Museums
Historical Sites
Similar Institutions
NAICS: 71 – Arts
Entertainment
Recreation
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 922 – Justice
Public Order
Safety Activities
NAICS: 51 – Information
NAICS: 928 – National Security And International Affairs
Blog: NCSC Reports
Guidance and Blog-post
Associated Indicators: