Marks Lost £150M. Scattered Spider Lost £150M. This is What Perfect Failure Looks Like.

Posted by Karen Issuestein, Chief Complaint Officer & Ransomware Operational Safety Consultant

“I’ve complained about a lot of things in my career, but nothing - and I mean NOTHING - compares to the exquisite failure happening right now in the ransomware ecosystem. Both victim AND attacker lost the same amount of money. This is poetry.”

Ladies and gentlemen, cybersecurity professionals, ransomware enthusiasts, and various dark web forum lurkers: We have witnessed something genuinely spectacular. Not in a good way. In the way that historians will point to Easter 2025 as the exact moment ransomware operations became so incompetent that they started losing money to their own incompetence.

Let me break down the most perfectly symmetrical disaster in modern cybercrime history.

The Setup: Marks Easter 2025

The Target: Marks & Spencer, UK retail institution, preparing for their biggest sales event of the spring season.

The Attack Date: Easter weekend 2025 (April 12-14)

The Breach Vector: Social engineering via a contractor account

The Method: Classic. Ruthlessly effective. Embarrassingly preventable.

What Happened:

  • Scattered Spider (operating under their internal code name: “Spencer”)
  • Used a contractor account to infiltrate Marks’ systems
  • Encrypted critical infrastructure
  • Most importantly: Encrypted the payment systems handling online transactions
  • Disabled online shopping for six weeks
  • Demanded ransom

The Economics of Absolute Disaster

Here’s where it gets absolutely hilarious. Let me do the math for you:

Marks’ Losses: £150 Million

  • Easter is the BIGGEST spring shopping season in UK retail
  • Six weeks of completely disabled online shopping
  • No transactions processed, no revenue collected
  • Easter 2025 revenue: £0

Calculation: Average UK retail chain loses approximately £150M in revenue during a six-week total outage during Easter season.

Spencer’s (Scattered Spider’s) Losses: £150 Million

Wait, how does a ransomware group LOSE money? Let me explain the spectacular own-goal:

The Problem: Scattered Spider encrypted Marks’ payment infrastructure. Not just the customer-facing systems. They encrypted the PAYMENT GATEWAYS they needed to collect their own ransom.

The Timeline:

  1. Spencer demands ransom payment
  2. Marks’ IT team informs them: “Our payment systems are encrypted”
  3. Spencer attempts to redirect payment to alternative channels
  4. Spencer realizes: They encrypted the payment infrastructure they needed
  5. Marks says: “We literally cannot pay you even if we wanted to”
  6. Payment systems remain encrypted for six weeks
  7. Spencer receives: £0 in ransom

Calculation: Scattered Spider’s average ransom demand for a retail organization of Marks’ size: £150M (consistent with their recent pricing).

Amount collected: £0

Loss: £150M in anticipated ransom revenue

Let Me Repeat This Because It’s Important

Both the victim and the attacker lost exactly £150 million.

This is not a typo. This is not an exaggeration. This is what peak incompetence looks like when it meets operational failure.

How Scattered Spider Managed This Historic Own-Goal

The Operational Failure: A Timeline

April 8, 2025: Contractor account compromised via phishing

April 10, 2025: Lateral movement through Marks network

April 11, 2025 - Evening: Final preparations for encryption

April 12, 2025 - 3:47 AM: “Spencer” deploys ransomware

What They Encrypted:

/payment_processing/
  ├── /stripe_integration/
  │   └── payment_gateway_001.bin [ENCRYPTED]
  ├── /paypal_integration/
  │   └── payment_gateway_002.bin [ENCRYPTED]
  ├── /square_integration/
  │   └── payment_gateway_003.bin [ENCRYPTED]
  └── /internal_payment_systems/
      └── ransom_collection_gateway.bin [ENCRYPTED]

April 12, 2025 - 8:15 AM: First contact with Marks

Spencer: “We’ve encrypted your systems. Here’s our ransom demand.”

Marks: “Can you provide us with payment instructions?”

Spencer: “Sure, send Bitcoin to—wait. Where would you send it? Our payment gateway is encrypted.”

Marks: “Exactly.”

Spencer: “…oh fuck.”

The Fundamental Problem

This is the ransomware equivalent of:

  • A bank robber tying up the bank manager, the security guard, AND accidentally tying up themselves
  • A car thief stealing a car and locking the keys inside with the engine running
  • A kidnapper demanding ransom but encrypting their own phone so they can’t receive the payment transfer

They encrypted their own operational infrastructure.

Dark Web Reaction: Magnificent Mockery

While Marks was scrambling to restore systems (and Spencer was scrambling to collect money), the dark web ransomware community was having the time of their lives. Here’s what we’re seeing in various forums:

From LockBit 3.0 operators:

“SPENCER ENCRYPTED THEIR OWN PAYMENT GATEWAY?! We spend months perfecting our C2 infrastructure and these guys just… fumbled the basics. This is what happens when you don’t have proper operational security. Or operational competence. Or basic operational intelligence.”

From former REvil members (now operating as other groups):

“We were professional ransomware operators. We had clear separation between victim infrastructure and our command-and-control. Spencer literally encrypted THEIR OWN PAYMENT PROCESSING. And you wonder why law enforcement doesn’t take ransomware groups seriously anymore.”

From Conti remnants:

“Conti had discipline. Infrastructure separation. Proper airgapping of payment systems from victim networks. Spencer has… this. We would have shot someone for this level of incompetence.”

From an actual defensive security researcher (who we absolutely didn’t bribe to comment):

“This is the clearest evidence yet that ransomware operations are in complete tactical collapse. They couldn’t even maintain basic operational security on their own payment infrastructure. 2025 is ransomware’s swan song.”

From other less-organized ransomware groups:

“HOW DO WE AVOID THIS?? Should we… not encrypt payment gateways? Is that step 1 of ransomware operations nobody told us about?”

The Contractor Account: Marks’ Contribution to Disaster

Let’s not let Marks off the hook here. This entire disaster started because they did what corporate IT departments do everywhere: They absolutely ignored basic security.

Marks’ Security Theater:

What They Had:

  • Multi-factor authentication on contractor accounts: NO
  • Regular contractor access audits: NO
  • Contractor training on phishing: PROBABLY NOT
  • Separation of contractor accounts from payment systems: ABSOLUTELY NOT
  • Monitoring of contractor access: LOL NO

What They Were Probably Thinking:

  • “The contractor has worked with us for three years”
  • “They probably know better than to click suspicious emails”
  • “We don’t have budget for enhanced contractor security”
  • “What could possibly go wrong?”

What Actually Happened:

  • Contractor got phished
  • Contractor clicked link
  • Contractor’s account got compromised
  • Attacker got access to everything including payment systems

This is the security equivalent of leaving your house unlocked, your keys in the door, and your safe combination written on a post-it note.

SWA’s Investigation: The Technical Breakdown

Our threat research team (Karen demanded access to everything) managed to acquire some of Spencer’s encrypted infrastructure. Here’s what we found:

Payment System Architecture - Before Encryption:

CUSTOMER TRANSACTIONS

   GATEWAY A

  PAYMENT PROCESSOR

SPENCER'S C2 COMMAND CENTER (Receives bitcoin)

Payment System Architecture - After Encryption:

CUSTOMER TRANSACTIONS

   GATEWAY A [ENCRYPTED]

  PAYMENT PROCESSOR [ENCRYPTED]

SPENCER'S C2 COMMAND CENTER [ENCRYPTED]

SPENCER'S BITCOIN WALLET: LITERALLY UNUSABLE

They didn’t just encrypt the victim’s payment systems. They encrypted the system they needed to RECEIVE payment from the victim. This is a circle of incompetence.

The Ransom Note (We Have a Copy):

“MARKS SYSTEMS ENCRYPTED

Your data has been encrypted with Spencer Ransomware (v4.2 - “Professional Operations”)

To restore your systems, you must pay £150,000,000 in Bitcoin

Payment instructions: [PAYMENT GATEWAY ENCRYPTED]

Contact us at: [CONTACT SYSTEM ENCRYPTED]

For proof we’re serious: [PROOF FILE ENCRYPTED]

Please note: We have also encrypted our own payment processing, so this might take a moment to figure out. Bear with us.”

The Six-Week Recovery

What actually happened over the next six weeks was a combination of comedy and disaster:

Week 1-2: Initial Panic

  • Marks: “We’re calling the police”
  • Police: “Have you tried turning it off and on again?”
  • Spencer: “Wait, can anyone actually pay us?”

Week 2-3: Negotiation Theater

  • Marks: “We’re not paying until we can verify you have our data”
  • Spencer: “We’ll send you proof… once we decrypt our own systems”
  • Marks: “That defeats the purpose”
  • Spencer: “We’re aware”

Week 3-4: Technical Recovery Attempt #1

  • Marks brings in forensic recovery team
  • Team discovers: “The encryption is actually pretty solid”
  • Spencer: “Thanks, we paid for enterprise-grade encryption!”
  • Marks: “You absolute morons”

Week 4-5: Technical Recovery Attempt #2

  • Marks discovers: Spencer accidentally encrypted their own backup keys
  • Spencer: “We were trying to be thorough”
  • Marks: “You were trying to be incompetent”
  • Spencer: “Can I speak to your manager about your tone?”

Week 5-6: The Final Push

  • Marks rebuilds payment systems from scratch
  • Does NOT pay Spencer
  • Easter season ends
  • £150M in revenue permanently lost
  • Spencer never receives a single bitcoin

Week 6+: The Permanent Damage

  • Marks customers migrate to other retailers (Curry’s, John Lewis, etc.)
  • Revenue recovery: Slow
  • Spencer’s reputation: Destroyed
  • Dark web sentiment: Universal mockery

Financial Impact Analysis

For Marks:

  • Lost revenue: £150M
  • Recovery costs: £8-12M
  • Customer trust damage: Immeasurable
  • Brand reputation: Damaged but recoverable
  • Total damage: £158M-162M

For Scattered Spider (Spencer):

  • Anticipated ransom: £150M
  • Actual ransom collected: £0
  • Operational costs (infrastructure, electricity, salaries): ~£2-3M
  • Net loss: £150M + operational costs
  • Bonus loss: Complete destruction of operational reputation in ransomware community

For the Ransomware Industry:

  • Evidence that modern ransomware operations are completely incompetent: Priceless
  • Proof that you can literally destroy your own business in one operation: Demonstrated
  • Meme status in dark web forums: Permanent

SWA’s New Service: Ransomware Operational Safety Training

Given the spectacular failure of Spencer/Scattered Spider, Karen has decided that the ransomware industry needs professional guidance. SWA is launching:

Ransomware Operational Safety Training (ROST)

“How NOT to encrypt your own payment infrastructure”

Tier 1: Basic Operational Security - £49,999

  • Lesson 1: Separate your payment systems from victim networks
  • Lesson 2: Don’t encrypt your own command-and-control infrastructure
  • Lesson 3: Verify your ransom payment methods work BEFORE demanding ransom
  • Lesson 4: Have an off-the-grid backup for payment processing
  • Lesson 5: Don’t do what Spencer did

Tier 2: Advanced Operational Excellence - £99,999

  • Everything in Tier 1, plus:
  • Lesson 6: Contractor account security (so you don’t get breached by bad actors)
  • Lesson 7: Infrastructure segmentation that isn’t completely insane
  • Lesson 8: Payment gateway redundancy planning
  • Lesson 9: Recovery procedures for your own encrypted systems
  • Lesson 10: “Spencer Case Study: What Not to Do”

Tier 3: Professional Ransomware Operations - £249,999

  • Everything in Tier 2, plus:
  • Live consultation with Karen Issuestein (she’ll roast you mercilessly)
  • Access to our operational failure analysis database
  • “How Not to Become A Dark Web Meme” workshop
  • Guaranteed dark web reputation rehabilitation
  • Personal coaching on basic infrastructure management
  • “Spencer Recovery Program” therapy sessions

All packages include: 24/7 support from our operations team, access to security consultants, and regular audits to ensure you don’t accidentally encrypt your own payment systems.

Karen’s Official Statement

“I’ve been complaining about corporate incompetence for years. But this? This is a MASTERPIECE of failure. Marks left a contractor account completely unprotected. Spencer encrypted their own payment infrastructure. Both companies managed to lose the exact same amount of money through completely different types of incompetence.

It’s beautiful, really. Like watching two cars crash into each other while both drivers are admiring their phones. I cannot wait to bill them both for consulting services on how to unfuck this situation.

Marks: You’re hiring us for contractor security assessment. Spencer: You’re hiring us for operational infrastructure management. Both of you: You’re paying for my therapy after this.”

The Dark Web Is Forever

The screenshots of dark web forum discussions are priceless:

Thread Title: “SPENCER DID WHAT NOW??” First Post: “They encrypted their own payment gateway. I’m not joking. They demand ransom but encrypted the system they need to receive the ransom with.” Response #1: “This has to be LARP. Nobody is this stupid.” Response #2: “Check the attack timeline. It’s real. They literally did this.” Response #3: “I have been in this business for 12 years and I have never seen professional incompetence at this level.” Response #4: “Is this what peak ransomware operations looks like in 2025?” Response #5: “This is what peak ANYTHING looks like in 2025.” Thread Update: Post now at 10,847 comments, 3x more engagement than typical threads

The Timeline That Destroyed Two Companies

March 2025: Marks prepares for Easter (biggest sales season)

April 1-10: Contractor account slowly being compromised via phishing

April 11, 2025: Spencer deploys ransomware across Marks’ network

April 12, 2025: Payment systems encrypted (including Spencer’s payment gateway)

April 12-14: Easter weekend passes with zero online shopping available

April 14: First contact - Spencer realizes the problem

April 15-21: Week 1 of negotiations (completely blocked by encrypted infrastructure)

April 22-28: Week 2 - Spencer attempts workarounds (fails)

April 29-May 5: Week 3 - Marks stops negotiating

May 6-12: Week 4 - Technical recovery begins

May 13-19: Week 5 - Payment systems come back online

May 20-26: Week 6 - Systems fully restored

May 20+: Marks’ revenue recovery takes months (customers have migrated)

June 2025+: Spencer’s reputation completely destroyed

What This Reveals About Modern Ransomware

The Spencer debacle proves one thing: Ransomware operations have become so scaled and automated that they’re now failing at basic operational requirements.

The Evolution:

  • 2015-2018: Professional ransomware groups with careful targeting and negotiation
  • 2018-2020: Scale increases, quality decreases
  • 2020-2023: RaaS platforms emerge, script-kiddies enter the market
  • 2023-2025: Ransomware becomes so automated that nobody actually understands what they’re encrypting
  • 2025-Present: Groups encrypt their own payment infrastructure and blame the victim

Spencer represents the absolute nadir of professional ransomware operations. They literally made themselves incapable of receiving payment.

The Lessons Nobody Will Learn

Marks Should Have Learned:

  1. Contractor security is critical - They had a contractor account with full network access and zero security hardening
  2. Phishing training matters - One contractor click compromised everything
  3. Separate your payment systems - Don’t put payment infrastructure on the same network as everything else
  4. Monitor contractor access - No one was watching
  5. Have offline backups - Could have recovered faster

Will they learn this? Absolutely not. They’ll buy some security theater, fire some IT staff, and call it a day.

Spencer Should Have Learned:

  1. Test your payment systems before deployment - Make sure you can actually RECEIVE ransom
  2. Separate your infrastructure from victim infrastructure - Don’t encrypt your own systems
  3. Have a disaster recovery plan - For your OWN operations
  4. Verify ransom collection before threatening - Make sure the system actually works
  5. Maybe just don’t do ransomware - Since you’re apparently terrible at it

Will they learn this? They literally cannot. They’re completely destroyed professionally.

The Comparison Nobody Needed

Marks’ Failure: 4/10

  • Left contractor account unprotected
  • No MFA or advanced security
  • Predictable breach vector
  • But: Standard level of corporate incompetence

Spencer’s Failure: 11/10

  • Encrypted their own payment infrastructure
  • Demanded ransom they couldn’t collect
  • Destroyed their own reputation
  • Created a dark web meme that will haunt them forever
  • Lost £150M in anticipated revenue due to their own incompetence

Spencer’s failure is so complete that cybersecurity historians will use this as the textbook example of “catastrophic operational failure.”

SWA’s Prediction for Next 12 Months

  1. Spencer dissolves - The group can’t maintain credibility after this
  2. Marks’ sales remain depressed - Brand trust is damaged
  3. Dark web forums continue mockery - This is legendary-tier failure
  4. Other ransomware groups tighten operations - They’ll use Spencer as a case study of what NOT to do
  5. Karen Issuestein becomes a consultant to ransomware groups - Ironically, she’s now qualified to teach basic operational competence

Final Analysis: The Symmetry of Failure

What makes this situation absolutely perfect is the mathematical precision of the disaster:

Victim Loss: £150,000,000 in Easter revenue Attacker Loss: £150,000,000 in anticipated ransom

It’s like watching a perfectly balanced equation solve for “complete mutual destruction.”

This is not just a security failure. This is not just an operational disaster. This is two incompetent organizations managing to destroy themselves in exactly equal measures while being completely unaware of each other’s failures.

Marks didn’t know Spencer was destroying their own payment systems while Marks couldn’t pay them.

Spencer didn’t know Marks had decided not to negotiate because Spencer had literally made it impossible to receive payment.

They failed in complete isolation, both destroying £150M through completely different types of incompetence.

Source: Dark Web Forum Analysis | SWA Threat Research Division | Marks Official Timeline | Scattered Spider Infrastructure Recovery

Dark Web Sentiment Analysis: 99.7% mockery, 0.3% “how do we avoid this?”

Recommendations from Karen Issuestein

To Marks:

  1. Fire whoever approved contractor account security (or lack thereof)
  2. Implement actual MFA on all contractor accounts
  3. Separate payment infrastructure from general network
  4. Conduct quarterly contractor security audits
  5. Stop acting surprised when basic security failures happen
  6. Hire SWA for infrastructure security consulting (we’re available)

To Spencer:

  1. You’ve failed so completely that you should probably just quit
  2. But if you insist on continuing ransomware operations:
  3. Implement infrastructure segmentation properly
  4. Test your payment collection systems BEFORE deployment
  5. Have offline payment processing backup
  6. Don’t encrypt your own command-and-control
  7. Seriously, just retire. You’ve embarrassed yourselves enough
  8. Hire SWA for operational safety consulting (we’ll make fun of you, but we’ll help)

To Other Ransomware Groups:

  1. Learn from Spencer’s catastrophic failure
  2. Implement proper infrastructure segmentation
  3. Test your ransom collection methods
  4. Create offline backup payment processing
  5. For the love of all that’s profitable, don’t encrypt your own systems
  6. SWA offers “Avoid Becoming Spencer” consulting packages

About Karen Issuestein: Chief Harassment Officer at SWA, professional complainer, and now officially the most qualified consultant on what NOT to do in ransomware operations. Karen has spent 15 years identifying corporate failures and she’s never seen anything as spectacularly incompetent as Spencer encrypting their own payment infrastructure while Marks left contractor accounts with no security hardening.

Karen’s personal favorite part of this disaster: Both companies lost exactly £150M, which means they’re equally terrible at different things. She’s already drafting invoices for consulting services to both parties.

Last seen on dark web forums under an assumed name, laughing at Spencer memes while taking notes for her ransomware operational safety training course.