News Hub

Subway hit with ransomware attack, LockBit claims responsibility

Written by Tue 23 Jan 2024

Image Credit: Reuters

Ransomware group, LockBit, has claimed to have breached and stolen corporate data from Subway, prompting the company to investigate the attack on its IT systems.

The Register reported on 21 January, LockBit marked Subway as its latest victim of attack on its leak blog. The ransomware group issued a deadline of 2 February for the fast food company to secure its compromised data. If no action was taken, LockBit threatened to sell the stolen information to the sandwich chain’s competitors.

“We exfiltrated their SUBS internal system which includes hundreds of gigabytes of data and all financial [aspects] of the franchise, including employee salaries, franchise royalty payments, master franchise commission payments, restaurant turnovers etc,” said LockBit. 

LockBit has not shared any data it has allegedly stolen and Subway has not elaborated on the breach.

“The biggest sandwich chain is pretending that nothing happened,” said LockBit regarding Subway’s silence.

A Subway spokesperson told PCMag the company was ‘exploring the validity of the claim’. To date, the company’s website appears operational with no signposts to the reported breach. The terms or the amount of the ransom demand have not been disclosed.

Subway has approximately 37,000 locations in more than 100 countries. The company’s app has been downloaded over 10 million times on the Google Play Store. 

Who is LockBit?

LockBit operates on a ransomware-as-a-service business model. It sells its malicious software to affiliates, enabling them to execute cyberattacks.

The group is also responsible for the malicious malware of the same name. LockBit attackers typically threaten organisations with operational disruption, extortion, and data theft and illegal publication.

In November, LockBit was suspected to be behind an attack on ICBC Financial Services critical systems, including corporate email and trading platforms. 

ICBC Financial Services is the US unit of ICBC and the world’s largest commercial lender by total assets.

It was reported that this forced the ICBC Financial Services to use unconventional methods like resorting to messengers that hand-delivered settlements on thumb drives to relevant parties.

In January 2023, Royal Mail experienced a cyberattack by LockBit. Royal Mail’s international shipping of parcels and letters through its post office branches halted. The attackers demanded a £63 million ($80 million) ransom for the decryption key. Royal Mail did not pay the ransom.

Attack Serves as Warning for Establishments

Yossi Rachman, Director of Security Research at cyber resilience developer, Semperis, said establishments should act now to take back their data and fight back against criminal enterprises.

“First, all organisations should understand what their critical systems are (including identity infrastructures such as Active Directory) before attacks occur,” said Rachman.

Rachman added it is not too late for enterprises to assess their network, as dealing with threat actors regularly is the ultimate cat-and-mouse game.

“The good guys need to stay at least one step ahead of the bad guys to protect their assets,” added Rachman.

Rachman advised enterprises to schedule regular tabletop exercises that simulate critical systems’ recovery before an incident occurs.

“By preparing in advance, defenders can make their organisations so difficult to compromise that hackers will look for softer targets,” said Rachman.

Companies also need to actively monitor unauthorised changes in their Active Directory infrastructure, a common target in cyber attacks. Real-time visibility into alterations to elevated network accounts and groups is also crucial.

Rachman stressed that a swift and efficient recovery process for Active Directory is essential in the event of a breach, enabling the organisation to quickly regain control and resume operations.

Join Cloud & Cyber Security Expo

6-7 March 2024, ExCeL London

Cloud & Cyber Security Expo is one of the largest IT security events in Europe.

Don’t miss the chance to build partnerships and discover solutions to protect your business.

Written by Tue 23 Jan 2024

Send us a correction Send us a news tip