In April 2025, Marks & Spencer—one of Britain’s most successful retailers—was crippled by a ransomware attack that didn’t just encrypt endpoints. It locked down VMware ESXi hypervisors, freezing core systems and bringing operations to a standstill.
Sales were suspended. Internal systems froze. Customers were left in limbo. According to analysts, the damage could total over $400 million—nearly half of M&S’s 2024 profits.
Can your organization afford to lose nearly half of its annual profits to a ransomware attack?
The Rise of Ransomware in Retail
May of 2025 has been a big month for retailers, with cybersecurity incidents taking down international logos like Adidas, Dior, and Victoria’s Secret. Recent reports on ransomware in this sector verify the threat’s prevalence:
- 45% of retail organizations were hit with ransomware in 2024
- 50% increase in ransomware recovery costs in the retail sector in 2024
- $240M ransom demand on retail giant MediaMarkt, making it one of the most expensive ransomware attacks on record between 2020 and 2025, after Marks & Spencer
- 92% of retail organizations hit by ransomware in 2024 had attackers attempt to compromise backups; 47% succeeded
- 74.71% increase in ransomware targeting in the retail sector according to Q1 25 threat reports.
The threat to virtual infrastructure specifically is rising quickly. According to Veeam’s 2025 ransomware report, attackers are increasingly skipping endpoints and targeting the virtualization layer directly. The ESXi attack on Marks & Spencer in April wasn’t a random hit—it was part of a larger shift toward infrastructure-aware ransomware, and it’s a warning the entire retail industry, including those in the US, should take seriously.
The wave of ESXi attacks on UK retailers also follows MITRE ATT&CK v17’s inclusion of ESXi-specific TTPs, validating the very real risk that unprotected hypervisors pose to businesses. What was once considered a backend technical layer is now front and center in the ransomware playbook—and most retailers aren’t ready.
Case in Point: The M&S, Harrods, and Co-op ESXi Attacks
In spring 2025, a coordinated ransomware campaign swept through the UK retail sector, led by the DragonForcecartel and its affiliate, Scattered Spider. Known for credential theft and hypervisor-level payloads, this group bypasses endpoints and goes straight for ESXi.
Marks & Spencer was the most visible casualty. Attackers used social engineering to compromise a third-party vendor, gained access to Active Directory, and quietly moved laterally until they were able to deploy ransomware to core ESXi infrastructure—shutting down online sales, logistics, and internal systems for weeks.
- Online sales, worth an estimated $4.36M per day, were paused for over two months
- Supply chain disruptions left shelves empty; vendors reverted to manual systems
- Customer data was stolen, including names, addresses, and purchase history
- The attack erased over $640M in market value
In the days that followed, Harrods and the Co-op Group also reported attempted intrusions. While no encryption was confirmed, both firms took emergency containment measures—shutting down internet access and VPNs, issuing credential resets, and tightening access controls.
Harrods and Co-op possibly got lucky. M&S didn’t.
ZeroLock: What ESXi Protection Should Actually Look Like
There’s a clear shift underway. Ransomware groups are targeting the hypervisor, and most tools simply weren’t designed to defend it.
That’s where ZeroLock® stands apart. ZeroLock offers a way to reduce risk without overhauling architecture—strengthenin
g resilience at one of the most underprotected layers in the enterprise stack. Built specifically for VMware ESXi protection, it delivers 100% coverage of every ESXi-specific tactic, technique, and procedure in MITRE ATT&CK v17—including the exact methods used in the M&S breach.
ZeroLock offers a lightweight solution to harden infrastructure and reduce exposure—without adding complexity to already stretched I&O environments. Some key capabilities include:
- SSH Multi-Factor Authentication to secure access points and stop unauthorized logins
- Lockdown Rules and Virtual Patching to automate hardening and prevent high-risk hypervisor actions
- Application Filtering to block tools like esxcli and vim-cmd commonly exploited in attacks
- AI Detection to flag and halt unauthorized changes, lateral movement, and pre-encryption behaviors
- SIEM/SOAR Integration for real-time visibility and response across your existing security stack
ZeroLock operates silently at the hypervisor level—no downtime, no re-architecture. Just the visibility and control needed to stop modern ransomware before it hits.
Final Thoughts: What’s Your Plan for ESXi Risk?
Retailers can’t afford to treat hypervisor security as an afterthought. The stakes have changed, and today’s ransomware attacks are going after the core infrastructure that keeps operations running: your virtualization layer.
Marks & Spencer was a wake-up call. It won’t be the last.
If your ESXi environment is unprotected, ransomware actors may already be knocking.