{
	"id": "01146a64-1e9e-454e-b80c-dd8bd693b533",
	"created_at": "2026-04-06T01:31:52.239607Z",
	"updated_at": "2026-04-10T03:26:47.096663Z",
	"deleted_at": null,
	"sha1_hash": "77ef1a52f9268b1569711f755c875fe2ec01fa99",
	"title": "Subway Puts a LockBit Investigation on the Menu",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1943502,
	"plain_text": "Subway Puts a LockBit Investigation on the Menu\r\nBy Tara Seals\r\nPublished: 2024-01-23 · Archived: 2026-04-06 00:07:56 UTC\r\nTara Seals,Managing Editor, News,Dark Reading\r\nJanuary 23, 2024\r\n2 Min Read\r\nSource: graham jepson via Alamy Stock Photo\r\nThe Subway restaurant chain, creator of the Sweet Onion Teriyaki combo and slinger of sports-themed fast-casual\r\nsandwich deals, is investigating claims that the LockBit 3.0 ransomware gang was able to toast up its\r\ninfrastructure.\r\nLast week, the infamous ransomware group claimed on its Tor leak site that it \"exfiltrated [Subway's] SBS internal\r\nsystem, which includes hundreds of gigabytes of data and all financial aspects of the franchise, including\r\nemployee salaries, franchise royalty payments, master franchise commission payments, restaurant turnovers etc.\"\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/subway-lockbit-investigation-on-menu\r\nPage 1 of 3\n\nLockBit claims that it will put the information up for sale on Feb. 2 unless the ransom is paid (the amount that the\r\ngroup is demanding is unknown).\r\nFor its part, Subway didn't unwrap what it thought about the claims until this week, when the company issued\r\nprivate statements to media that it's actively investigating LockBit's claims, but it has not yet provided any\r\nassessments or findings.\r\nLockBit Hacks Fresh?\r\nOne thing's certain — going after such a big hoagie of a target is out of character for the LockBit gang, so, if true,\r\nthe Subway hit could signal a change in its modus operandi.\r\n\"LockBit's recent claim of breaching Subway has raised eyebrows, but what’s most interesting is that it's not their\r\ntypical gig,\" says Ferhat Dikbiyik, head of research at the Black Kite cybersecurity firm. \"Their average prey\r\nconsists of companies with about $100 million in revenue, signaling that while they've taken a bite out of a\r\nbillion-dollar brand [now], the majority of their targets are midsize or small.\"\r\nThe reason for the pivot could be the presentation of sheer opportunity, he adds: \"An analysis of Subway\r\nwith Black Kite's platform confirms issues similar to other major enterprises with large attack surfaces. Many are\r\nslow to patch and, as a result, face vulnerability exploitation, a tactic of ransomware groups like LockBit. We've\r\nseen this before with incidents like the Boeing breach via CitrixBleed.\" \r\nBlack Kite estimates that LockBit enjoyed about a fifth (21%) of global ransomware market share last year,\r\nclaiming more than 1,000 victims. That's a number that dovetails with other estimates; a ransomware stats report\r\nthis week from ZeroFox, for example, found that LockBit accounted for more than 35% of total extortion attacks\r\nin early 2023 — peaking at almost 50% last February and 20% in the fourth quarter.\r\nZeroFox recommends a range of best practices as a good LockBit defense as the gang potentially expands its\r\nmenu of targets:\r\nImplement secure password policies and multifactor authentication.\r\nConfigure ongoing monitoring for compromised account credentials.\r\nProactively monitor for compromised accounts being brokered in deep and Dark Web forums.\r\nBack up critical, proprietary, or sensitive data to secure, off-site, or cloud servers.\r\nImplement network segmentation.\r\nDevelop a comprehensive incident response playbook.\r\nImplement email protections like DMARC.\r\nKeep versions and patching up-to-date.\r\nAbout the Author\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/subway-lockbit-investigation-on-menu\r\nPage 2 of 3\n\nManaging Editor, News, Dark Reading\r\nTara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and\r\ntechnology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North\r\nAmerican news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo\r\nPublishing), as executive editor and editor-in-chief at publications focused on both the service provider and the\r\nenterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts\r\nwith her family and is on a never-ending quest for good Mexican food in the Northeast.\r\nSource: https://www.darkreading.com/cyberattacks-data-breaches/subway-lockbit-investigation-on-menu\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/subway-lockbit-investigation-on-menu\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.darkreading.com/cyberattacks-data-breaches/subway-lockbit-investigation-on-menu"
	],
	"report_names": [
		"subway-lockbit-investigation-on-menu"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5",
			"created_at": "2022-10-25T16:07:23.797925Z",
			"updated_at": "2026-04-10T02:00:04.752608Z",
			"deleted_at": null,
			"main_name": "LockBit Gang",
			"aliases": [
				"Bitwise Spider",
				"Operation Cronos"
			],
			"source_name": "ETDA:LockBit Gang",
			"tools": [
				"3AM",
				"ABCD Ransomware",
				"CrackMapExec",
				"EmPyre",
				"EmpireProject",
				"LockBit",
				"LockBit Black",
				"Mimikatz",
				"PowerShell Empire",
				"PsExec",
				"Syrphid"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439112,
	"ts_updated_at": 1775791607,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/77ef1a52f9268b1569711f755c875fe2ec01fa99.pdf",
		"text": "https://archive.orkl.eu/77ef1a52f9268b1569711f755c875fe2ec01fa99.txt",
		"img": "https://archive.orkl.eu/77ef1a52f9268b1569711f755c875fe2ec01fa99.jpg"
	}
}