At a time when almost every part of an organization relies on IT infrastructure to function, cyberattacks have progressed from being disruptive to downright devastating. In fact, the cost of cyberattacks to UK businesses have been estimated at £44 billion in lost revenue over the past five years, affecting over half of private sector firms*. The recent ransomware attacks on Co-op and Marks & Spencer (M&S) in the UK serve as a sobering reminder of how susceptible even the most well-established businesses can be, and even more importantly, how challenging recovery can be.
The Anatomy of the Attacks
In April 2025, M&S and Co-op were hit by a coordinated cyberattack attributed to the Scattered Spider group, using DragonForce ransomware. The attackers exploited known vulnerabilities and used social engineering to gain access to internal systems. In effect, the consequences were devastating to say the least:
- M&S suspended online orders, suffered empty shelves, and lost an estimated £43 million per week**.
- Co-op faced disruptions in card payments, loyalty systems, and supply chain operations.
- Both companies confirmed that customer data was stolen, including names, addresses, and order histories.
Why Is Recovery So Difficult?
- Ransomware Drains IT Resources
Ransomware not only encrypts data—it can cripple an entire IT environment. IT teams need to divert resources to containment, analysis, and recovery. At M&S, weeks after the attack, online services remained offline, and the company couldn’t provide a timeline for full recovery.
- Immutable Storage Is Not a Silver Bullet
While immutable storage is a critical ransomware defense, it is not a silver bullet. Recovery still requires available and functioning IT infrastructure.
For example: if ransomware has compromised 90% of an organization’s systems, then even with clean backups, only 10% of the infrastructure is available to perform recovery tasks, creating an impossible situation. In some cases, organizations must purchase or provision additional hardware or cloud resources just to begin restoring systems at scale.
- Complexity of Modern IT Environments
Many businesses operate across hybrid environments—cloud, on-premises, and edge system. This complexity makes it harder to isolate threats and restore services. For example, M&S reported that not only were online orders affected, but also in-store scanners, loyalty apps, and internal reporting tools.
- Data Sensitivity and Regulatory Pressure
With customer data compromised, both companies faced not only business disruption, but also reputational and legal risk. GDPR and other data privacy laws require immediate notification and remediation, adding another layer of urgency and intricacy to the recovery process.
- Insurance Gaps and Financial Impact
While not much of a consolation, M&S had insurance that covered the costs of a cyberattack. Without such coverage, organizations could be fully exposed to the financial impact of an attack—including ransom negotiations, legal expenses, and lost revenue.***.
How Tintri VMstore and Glas-DP Can Help
Tintri VMstore offers a powerful solution for organizations looking to strengthen their cyber resilience and streamline recovery. When combined with Tintri Glas-DP, the built-in Data Protection and Recovery Suite (Glas-DP), VMstore’s intelligence and proactive capabilities become even more robust. (click here to view a webinar) that details snapshot locking and VMstore’s quick and simple recovery solution.
- Per-Application Locking Snapshots: VMstore allows for automated, immutable snapshots at the workload level. These snapshots are not only tamper-proof but also space-efficient, enabling frequent backups without performance degradation. Optional Admin approval to delete further protects from external and internal threats.
- Instant Recovery: Unlike traditional backup systems that require time-consuming data transfers, VMstore enables instant recovery of individual applications or entire environments. This drastically reduces downtime and accelerates business continuity.
- Resource Efficiency: VMstore’s intelligent storage architecture ensures that recovery operations don’t overwhelm available infrastructure and other applications. It optimizes I/O and storage performance, allowing organizations to recover even when resources are constrained.
- Predictive Analytics: With built-in analytics and machine learning, VMstore can identify anomalies and potential threats early, helping IT teams act before damage spreads.
- Scalability: In the event of a large-scale attack, VMstore can scale up and scale out, allowing organizations to add capacity quickly to support recovery efforts.
- Autonomous Support with Glas-DP: Employs extensive recovery capabilities via the Tintri Global Center (TGC)-AI platform leveraging the real time I/O stream and metadata of VMstore devices:
- Detect early warning signs and instant alerts on ransomware or system anomalies.
- Recommend or automatically initiate protective actions.
- Provide real-time insights and remediation steps tailored to the specific environment.
- Reduce human error and response time during critical incidents.
By integrating Tintri VMstore and Glas-DP into their infrastructure, organizations can not only protect their data but also ensure that recovery is fast, efficient, and minimally disruptive—even in the face of widespread ransomware attacks, and one that evolves with the threat landscape.
The Way Forward: Building Cyber Resilience
To protect themselves, organizations must rethink their cyber resilience strategies:
- Implement Immutable Storage: Ensure backups are tamper-proof and regularly tested.
- Provision Recovery Infrastructure: Plan for scalable recovery environments in advance.
- Leverage Smart Data Management Solutions: Use Tintri VMstore to enable rapid, resource-efficient recovery.
- Zero Trust Architecture: Limit access and verify every user and device.
- Employee Training: Social engineering remains a top attack vector.
- Incident Response Planning: Simulate attacks and rehearse recovery.
- Cyber Insurance: Ensure policies are up-to-date and comprehensive.
Conclusion
It is an unfortunate reality of the 21st century: for the vast majority of organizations, it is no longer a question of IF a cyberattack will happen, but of WHEN it will happen. The M&S and Co-op incidents are not isolated—they are part of a growing trend of sophisticated, targeted cyberattacks. Recovery is no longer just about restoring systems; it’s about preserving trust, continuity, and reputation. Organizations must have a prevention and recovery strategy and toolset organizations to counter attacks and deal with the aftermath quickly and effectively.
Sources:
** “M&S cyberattack costing retailer £43m a week in lost sales”. The Grocer, May 2025
