As retailers prepare for the crucial holiday season, another kind of countdown is already underway. Cybercriminals know exactly when you can least afford disruption, and they plan their campaigns accordingly. November and December have become high season not only for sales but also for ransomware, extortion and sophisticated cyberattacks. For retail executives, the challenge is clear: understanding who the attackers are, how they operate and what steps to take before the stakes rise even higher.
In today’s threat environment, four actors stand out as especially dangerous to retail: Scattered Spider, ShinyHunters, DragonForce and FIN7. Each exploits vulnerabilities at the core of retail operations, including customer service, point-of-sale systems, vendor networks and logistics. DragonForce, in fact, operates less like a single group and more like a ransomware cartel, providing a platform and infrastructure for affiliates to launch attacks. Other cartels such as RansomHub show how this model is reshaping the criminal economy, enabling diverse actors to share tools, coordinate operations and outpace defenders.
A Shifting Threat Landscape
The ransomware ecosystem has changed dramatically in recent years. Instead of one group building malware, running operations and claiming victims, today the dominant model is Ransomware-as-a-Service (RaaS). Core operators provide the software, infrastructure and even “customer support” portals, while affiliates carry out attacks and share the profits.
When a major ransomware brand is disrupted, the threat doesn’t end as affiliates simply migrate to other platforms, taking their tactics with them. Groups like RansomHub have filled vacuums left by LockBit and BlackCat, operating more like cartels that coordinate dozens or hundreds of affiliates. For retailers, this means that even if one group is taken down, the threat model persists and often resurfaces faster than law enforcement can respond.
Advertisement
At the same time, tactics are evolving. Many groups now emphasize data theft and extortion, threatening to publish stolen files if payments aren’t made. Others combine this with traditional encryption, paralyzing operations. The shift toward disruption makes these attacks especially damaging in retail, where every hour of downtime can mean millions in lost revenue.
The Groups Retailers Cannot Ignore
Scattered Spider has become infamous for its mastery of social engineering. Instead of relying solely on malware or exploits, this group impersonates employees or contractors, calling help desks, persuading staff to reset credentials or tricking identity systems into bypassing multi-factor authentication.
Scattered Spider has been tied to major retail attacks in the UK this year, including disruptions at Marks & Spencer and Co-op. Their playbook is not bound by geography, and U.S. retailers should expect similar tactics targeting help desks, vendor support channels and customer service platforms, precisely the areas where human judgment can be manipulated.
ShinyHunters has recently emerged as a major threat to retailers by exploiting CRM and cloud-based systems that house sensitive customer and operational data. In 2025, the group was tied to a series of Salesforce data theft incidents impacting Adidas, LVMH, Louis Vuitton, Dior and Tiffany & Co.
Their focus on large-scale data exfiltration makes them especially dangerous to retailers that rely on cloud platforms for customer engagement and sales. Stolen CRM records can be monetized through fraud, identity theft or resale on underground forums, and the reputational damage from such breaches can be severe. For retailers, defending the cloud environment is now just as critical as securing in-store systems.
DragonForce represents the RaaS model in action. This group operates more like a platform than a traditional gang, providing ransomware tools and infrastructure to affiliates who execute attacks. The group has been linked to the large-scale disruption at Marks & Spencer in spring 2025, where online ordering, logistics and warehouse operations were significantly impacted.
For U.S. retailers, DragonForce – as well as other cartels like RansomHub – is a reminder that the affiliates may change, but the platform allows for a steady drumbeat of new attacks. Their model enables rapid scaling: one affiliate gains initial access through phishing or compromised credentials, while another leverages DragonForce’s infrastructure to extort payment and leak stolen data.
FIN7 is not new, but its persistence makes it especially dangerous. Operating for nearly a decade, FIN7 is highly experienced at embedding itself in retail systems, often through phishing campaigns, malicious software updates or supply chain compromises.
Unlike newer groups that may “smash and grab,” FIN7 has the patience and sophistication to maintain a long presence inside a network, using remote access tools to quietly collect payment data, customer information or intellectual property. Their history of targeting point-of-sale systems in restaurants and at retailers demonstrates how adept they are at exploiting industry-specific weaknesses.
What Retail Executives Should do Now
For retail executives, the goal isn’t eliminating cyber risk altogether, but minimizing exposure and ensuring the business can recover quickly if an attack occurs. With the holiday season approaching, here are six areas that deserve immediate focus:
- Harden identity and access controls: The easiest entry points today are not firewalls or obscure vulnerabilities, but help desks, password resets and poorly managed vendor access. Identity management must be treated as a top business risk, not just a technical detail. That means enforcing strict protocols before accounts are reset, requiring multi-factor authentication that resists fatigue attacks and limiting privileged access to those who truly need it. Retailers also should demand that vendors connecting to their systems meet the same standards, since weak links in the supply chain are often the first doorway in.
- Invest in detection and readiness: Executives should be asking not only if defenses are in place but whether the organization is actively looking for intruders. Proactive “threat hunting” for anomalies tied to groups like Scattered Spider or FIN7 is essential. So are tabletop exercises that simulate high-stakes scenarios, such as ransomware hitting fulfillment centers on Black Friday or customer payment systems going down in December. These rehearsals may feel uncomfortable, but they prevent panic and confusion when real incidents occur.
- Reinforce backup and recovery: Ransomware’s leverage comes from paralyzing operations, but strong, tested recovery processes blunt that threat. Backups must be secure, off-network and regularly tested under realistic conditions. Recovery is as much a business continuity issue as a technical one, and boards should review recovery times and contingencies as closely as they review holiday sales forecasts.
- Address the human element: Groups like Scattered Spider rely on the fact that busy employees may cut corners. Executives can change that equation by embedding security into culture. Help desks and customer service teams should have clear protocols for verifying identities — such as call-back checks or secondary approvals — before resetting credentials. Training should be framed not as compliance, but as protecting the business during its most critical moments. A few extra minutes of verification can prevent weeks of disruption.
- Manage vendor and supply chain risk: Retailers depend on sprawling networks of payment processors, logistics providers, cloud vendors and software suppliers. Each represents potential exposure. Executives should ensure contracts spell out cybersecurity obligations, require regular audits and treat vendor oversight as a core part of supply chain resilience. Just as financial and operational risks are managed across suppliers, cybersecurity must be included as a critical dimension of retail partnerships.
- Prepare for the broader consequences: Beyond these technical measures, executives must also prepare for regulatory reporting, lawsuits and reputational damage that can extend well into the next year following an attack. Crisis communications, customer notification protocols and regulator coordination should be ready in advance. Boards and leadership teams must be prepared not only to engage with attackers but also to reassure customers, partners and investors.
As the holiday season approaches, sales goals may dominate the conversation, but security must remain a top priority. Adversaries are watching the same calendar you are, and they’re ready to strike when disruption will cost you most.
JP Castellanos is the Director of Threat Intelligence for Binary Defense, where he leads a team of intelligence analysts in monitoring emerging threats, conducting threat research and helping companies update their defenses. Castellanos is a 20-year veteran of the cybersecurity industry who has served in senior cybersecurity and threat intelligence roles at Lockheed Martin, SAIC and Capgemini. While at SAIC, he served on the Active Cyber Defense Team at the U.S. Central Command (USCENTCOM) Cyber Security Division. Castellanos also serves on the United States Marine Corps Cyber Auxiliary (MCCA), which is a volunteer organization aimed at increasing Marine Corps cyberspace readiness.
