Back to Intelligence

LOCKBIT5: Aggressive Healthcare & Manufacturing Campaign — CVE-2026-20131 Exploitation & Detection

SA
Security Arsenal Team
April 15, 2026
5 min read

Security Arsenal is tracking a resurgence in LOCKBIT5 activity, with 27 new victims posted in the last 100 days. The current campaign exhibits a distinct pivot towards the Healthcare and Manufacturing sectors, leveraging recently disclosed vulnerabilities in perimeter security appliances (Cisco FMC) and email infrastructure (SmarterMail) for initial access. Victims span the Americas, Europe, and Asia, suggesting a distributed affiliate model operating at high velocity.

Threat Actor Profile — LOCKBIT5

  • Aliases: LockBit 3.0, LockBit Black, LockBit Supp.
  • Model: Ransomware-as-a-Service (RaaS). LockBit5 represents the latest iteration, incorporating improved encryption speed and anti-analysis features designed to evade EDR.
  • Ransom Demands: Variable, typically ranging from $500k to $5M USD. Healthcare victims face elevated demands due to the critical nature of PHI data.
  • Initial Access: Predominantly external remote services (VPN exploitation via CVE-2026-20131, CVE-2025-5777) and web application flaws (SmarterMail CVE-2026-23760). Phishing remains a secondary vector.
  • Extortion: Double extortion is standard. Threat actors exfiltrate sensitive data (PII, IP, financial records) prior to encryption and threaten public release if ransoms are unpaid.
  • Dwell Time: 3–14 days. LOCKBIT5 affiliates act quickly, often moving laterally within 48 hours of initial breach.

Current Campaign Analysis

Sector Targeting: The victim list for April 2026 indicates a clear preference for:

  1. Healthcare: decaturdiagnosticlab.net (US), nucleodediagnostico.mx (MX), vitexpharma.com.
  2. Manufacturing: cegasa.com (ES), shunhinggroup.com (HK), aplast.ro (RO).
  3. Public Sector & Finance: comunidadandina.org (PE), fondonorma.org.ve (VE).

Geographic Concentration: While global, there is a heavy concentration in the Western Hemisphere (US, Dominican Republic, Mexico, Venezuela, Peru) and Southern Europe (Italy, Spain, Portugal).

CVE Connection: We assess with high confidence that the following CVEs are driving initial access in this campaign:

  • CVE-2026-20131 (Cisco Secure Firewall): Likely used to bypass perimeter defenses at wibeats.it and shunhinggroup.com to establish C2 channels.
  • CVE-2026-23760 (SmarterMail): Probable entry vector for nucleodediagnostico.mx and marti.do, providing a foothold into internal networks via email server compromise.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Cisco FMC Deserialization Exploit CVE-2026-20131
id: 4b2c6a9d-0f1e-4b5a-9c3d-8e7f6a5b4c3d
description: Detects potential deserialization attacks on Cisco FMC via unusual process chains or web requests.
status: experimental
date: 2026/04/15
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains: '/mgmt/cm/devicehandling' OR '/api/fmc_config/v1/domain'
        cs-method: POST
    filter:
        sc-status: 500
    condition: selection and filter
falsepositives:
    - Misconfigured management interfaces
level: high
---
title: SmarterMail Authentication Bypass CVE-2026-23760
id: 5d3e7b0e-1g2f-5c6d-0d4e-9f8g7h6i5j4k
description: Detects successful authentication attempts to SmarterMail without standard headers or via bypass paths.
status: experimental
date: 2026/04/15
author: Security Arsenal
logsource:
    product: smtp
    service: smtpsecurity
detection:
    selection_uri:
        c-uri|contains: '/Services/MailService.asmx'
    selection_auth:
        cs-username|contains: 'admin' OR 'system'
    filter_legit:
        c-useragent|contains: 'Mozilla' or 'Outlook'
    condition: selection_uri and selection_auth and not filter_legit
falsepositives:
    - Legacy API integrations
level: critical
---
title: LockBit5 Ransomware Pre-Encryption Activity
id: 6e4f8c1f-2h3g-6d7e-1e5f-0a1b2c3d4e5f
description: Detects activity typical of LockBit affiliates prior to encryption, including VSS deletion and system shutdown.
status: experimental
date: 2026/04/15
author: Security Arsenal
logsource:
    category: process_creation
detection:
    selection_vss:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'Delete Shadows' or 'Resize ShadowStorage'
    selection_bcd:
        Image|endswith: '\bcdedit.exe'
        CommandLine|contains: 'recoveryenabled no'
    selection_wevt:
        Image|endswith: '\wevtutil.exe'
        CommandLine|contains: 'cl' or 'clear-log'
    condition: 1 of selection_*
falsepositives:
    - System administration scripts
level: high

KQL (Microsoft Sentinel)

Hunts for lateral movement and data staging indicative of LockBit5 operations.

KQL — Microsoft Sentinel / Defender
// Hunt for unusual SMB/NamedPipe creation often used by Cobalt Strike Beacons
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where ActionType in ("NamedPipeCreated", "SMBFileCreated")
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "rundll32.exe")
| where RemotePort in (445, 135) or FileName contains "\\\\.\\pipe\\"
| summarize count() by DeviceName, InitiatingProcessAccountName, FileName
| where count_ > 10

// Hunt for massive data egress (Exfil)
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where SentBytes > 100000000 // >100MB
| where RemoteUrl !contains "microsoft.com" and RemoteUrl !contains "windowsupdate.com"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, SentBytes

PowerShell Response Script

Rapid response script to identify ransomware precursors and persistence mechanisms.

PowerShell
# LockBit5 Triage Script
Write-Host "Checking for Ransomware Indicators..." -ForegroundColor Yellow

# 1. Check for Recent Scheduled Tasks (Persistence)
$recentDate = (Get-Date).AddDays(-7)
$suspiciousTasks = Get-ScheduledTask | Where-Object {$_.Date -gt $recentDate -and $_.State -eq 'Ready'}
if ($suspiciousTasks) {
    Write-Host "[ALERT] Recent Scheduled Tasks Found:" -ForegroundColor Red
    $suspiciousTasks | Select-Object TaskName, Date, Author
} else {
    Write-Host "[OK] No suspicious recent scheduled tasks." -ForegroundColor Green
}

# 2. Check Volume Shadow Copy Status (Pre-Encryption)
$vssStatus = vssadmin list shadows 2>&1
if ($vssStatus -like "*No shadow copies found*" -or $vssStatus -like "*error*") {
    Write-Host "[ALERT] VSS Shadows are missing or corrupted." -ForegroundColor Red
} else {
    Write-Host "[OK] VSS Shadows present." -ForegroundColor Green
}

# 3. Check for Suspicious Network Connections (Exfil)
$netstat = netstat -ano | Select-String "ESTABLISHED"
Write-Host "[INFO] Active Established Connections found. Review IPs manually."

Incident Response Priorities

  1. T-minus Detection: Hunt for SharpHound, Rclone, or Mega processes in EDR telemetry. These are used for data collection and staging.
  2. Asset Prioritization: Isolate EHR (Electronic Health Records) systems and CAD/CAM design servers immediately; these are the primary exfiltration targets for the current victim set.
  3. Containment: Revoke all VPN credentials for privileged accounts and enforce MFA. If Cisco FMC is in use, assume it is compromised and segment management traffic.

Hardening Recommendations

  • Immediate (24h): Patch Cisco Secure Firewall Management Center (CVE-2026-20131) and SmarterTools SmarterMail (CVE-2026-23760). Disable internet-facing RDP immediately.
  • Short-term (2 weeks): Implement a Zero Trust architecture for administrative access. Enforce application control policies to block vssadmin.exe and wevtutil.exe for non-admin users.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-ganglockbit5ransomwarehealthcarecve-2026-20131cve-2026-23760

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action