Back to Intelligence

LOCKBIT5: Americas-Heavy Surge Targets Healthcare & Manufacturing — Critical CVEs Active

SA
Security Arsenal Team
April 16, 2026
7 min read

Threat Actor Profile — LOCKBIT5

  • Aliases: LockBit 3.0 (Superseded), LockBit Black (Superseded).
  • Operational Model: Ransomware-as-a-Service (RaaS) with an aggressive affiliate program. Highly automated deployment allowing for high victim throughput.
  • Ransom Demands: Variable, typically ranging from $500k to $10M+ USD, calculated based on victim revenue and encryption coverage.
  • Initial Access Vectors: Historically focused on exposed RDP and VPN vulnerabilities. Current campaigns show a significant pivot towards exploiting specific edge services (Email gateways, Firewall Management Centers) and phishing for valid credentials.
  • Extortion Strategy: Double extortion. LOCKBIT5 exfiltrates sensitive data (PFI, IP, financials) prior to encryption and threatens public release on their .onion site. They are known to DDoS victim sites if negotiations stall.
  • Average Dwell Time: 3–10 days. LOCKBIT affiliates are "fast movers," often moving laterally and detonating payloads within 72 hours of initial foothold to evade detection.

Current Campaign Analysis

Sector Targeting

Analysis of the last 15 victim postings reveals a distinct pivot toward critical infrastructure and essential services:

  • Healthcare (20%): Decatur Diagnostic Lab (US), Nucleo de Diagnostico (MX), Vitex Pharma.
  • Manufacturing (27%): Cegasa (ES), Shunhing Group (HK), Aplast (RO), Vitropor (PT).
  • Business/Tech Services: Wibeats (IT), Pegasussrl (IT).

Geographic Concentration

The campaign is heavily concentrated in the Americas:

  • North America: US (Decatur Diagnostic), Mexico (Nucleo de Diagnostico).
  • Caribbean/South America: Dominican Republic (Marti), Venezuela (Fondonorma), Peru (Comunidad Andina).
  • Secondary Targets: Southern Europe (Spain, Italy, France, Portugal) and East Asia (Japan, Hong Kong).

Victim Profile

Victims range from mid-market entities (e.g., regional diagnostic labs) to large multinational conglomerates (e.g., Shunhing Group). The selection suggests a willingness to target entities with high operational downtime costs rather than just those with massive liquidity.

CVEs & Initial Access Linkage

LOCKBIT5 affiliates are actively exploiting recently added CISA KEV vulnerabilities to gain initial access:

  1. CVE-2026-20131 (Cisco Secure Firewall FMC): Critical for network infrastructure bypass. Likely used against tech and financial sector victims.
  2. CVE-2026-23760 (SmarterTools SmarterMail): An authentication bypass allowing unprivileged access to email services. This is a high-value vector for phishing internal users or harvesting credentials for lateral movement.
  3. CVE-2025-5777 (Citrix NetScaler): A perpetual favorite for ransomware groups to breach perimeter VPNs.

Posting Frequency

LOCKBIT5 is maintaining a high tempo, averaging 1-2 victim postings every 24-48 hours. This indicates a highly efficient automated encryption pipeline and a large active affiliate base.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential LOCKBIT5 Exploitation of Cisco FMC (CVE-2026-20131)
id: 3b8a1c2d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
description: Detects potential deserialization exploitation attempts or suspicious web shell activity on Cisco FMC related to CVE-2026-20131.
status: experimental
author: Security Arsenal Research
date: 2026/04/17
tags:
    - attack.initial_access
    - cve.2026.20131
    - detection.emerging_threats
logsource:
    category: web
    product: apache
    # Or specific proxy/NGFW logs
detection:
    selection:
        cs-method: 'POST'
        c-uri|contains:
            - '/mgmt/'
            - '/api/fmc_config'
        sc-status:
            - 200
            - 500
    filter:
        cs-user-agent|contains: 'Cisco'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative API usage
level: high

---
title: SmarterMail Authentication Bypass (CVE-2026-23760)
id: 9d8e7f6a-5b4c-3d2e-1f0a-9b8c7d6e5f4a
description: Detects authentication bypass attempts on SmarterMail via alternate paths or unusual success patterns from unknown IPs.
status: experimental
author: Security Arsenal Research
date: 2026/04/17
tags:
    - attack.initial_access
    - cve.2026.23760
    - attack.web_application_attack
logsource:
    category: webserver
    product: iis # SmarterMail often runs on IIS
detection:
    selection_uri:
        c-uri|contains:
            - '/LivePreview/'
            - '/Calendar/Event/'
            - '/mapi/'
    selection_method:
        cs-method: 'GET' or 'POST'
    condition: selection_uri and selection_method
falsepositives:
    - Legitimate plugin usage
level: critical

---
title: LOCKBIT5 Ransomware Process Execution Patterns
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: Detects characteristic process execution chains used by LOCKBIT affiliates, including SharpHound, 7-Zip, and PsExec for lateral movement and exfiltration.
status: experimental
author: Security Arsenal Research
date: 2026/04/17
tags:
    - attack.execution
    - attack.lateral_movement
    - attack.collection
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools:
        Image|endswith:
            - '\\7z.exe'
            - '\\powershell.exe'
            - '\\psexec.exe'
            - '\\psexec64.exe'
    selection_args:
        CommandLine|contains:
            - ' -a ' # 7z archiving
            - ' -p' # 7z password
            - 'Invoke-BloodHound'
            - ' -accepteula'
    condition: selection_tools and selection_args
falsepositives:
    - Administrative scripting
    - Legitimate backups
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for mass data staging and lateral movement indicative of pre-encryption activity
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Common tools used by LockBit affiliates for recon and movement
| where FileName in~ ("powershell.exe", "cmd.exe", "powershell_ise.exe", "wmic.exe", "psexec.exe", "psexec64.exe", "rundll32.exe")
// Suspicious arguments often used for disabling security or moving laterally
| where ProcessCommandLine has "Add-Persistence" 
   or ProcessCommandLine has "New-ItemProperty" 
   or ProcessCommandLine has "-Enc" 
   or ProcessCommandLine has "SCCM" 
   or ProcessCommandLine has "SharpHound"
// Check for parent processes often associated with ransomware droppers
| where InitiatingProcessFileName in~ ("mshta.exe", "wscript.exe", "cscript.exe", "winword.exe", "excel.exe")
| summarize count() by DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| order by count_ desc

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    LockBit5 Rapid Response Hardening & Detection Script
.DESCRIPTION
    Checks for recent suspicious scheduled tasks (persistence) and validates
    Volume Shadow Copy Service (VSS) status. LOCKBIT5 is known to delete VSS.
#>

Write-Host "[+] Starting LockBit5 Rapid Response Checks..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in the last 7 days
Write-Host "[!] Checking for Scheduled Tasks created in last 7 days..." -ForegroundColor Yellow
$cutoffDate = (Get-Date).AddDays(-7)
Get-ScheduledTask | ForEach-Object {
    $taskInfo = Get-ScheduledTaskInfo -TaskName $_.TaskName -TaskPath $_.TaskPath
    if ($taskInfo.LastRunTime -gt $cutoffDate -or $_.Date -gt $cutoffDate) {
        Write-Host "SUSPICIOUS TASK FOUND: $($_.TaskName) | Path: $($_.TaskPath) | Last Run: $($taskInfo.LastRunTime)" -ForegroundColor Red
    }
}

# 2. Check Volume Shadow Copy Status
Write-Host "[!] Checking Volume Shadow Copy (VSS) health..." -ForegroundColor Yellow
try {
    $vss = Get-WmiObject -Class Win32_ShadowCopy
    if ($vss.Count -eq 0) {
        Write-Host "CRITICAL: No Shadow Copies found. This is a common post-exploitation step for LockBit." -ForegroundColor Red
    } else {
        Write-Host "INFO: $($vss.Count) Shadow Copies found. Newest: $($vss[0].InstallDate)" -ForegroundColor Green
    }
} catch {
    Write-Host "ERROR: Could not query VSS." -ForegroundColor Red
}

# 3. Audit Recent RDP Connections (Last 24h)
Write-Host "[!] Auditing RDP Connections (Last 24h)..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-24)} | 
Where-Object {$_.Message -match 'Logon Type:\s+10' -and $_.Message -notmatch 'Source Network Address:\s+-'} |
Select-Object TimeCreated, @{n='User';e={$_.Properties[5].Value}}, @{n='IP';e={$_.Properties[19].Value}} | Format-Table

Write-Host "[+] Check Complete." -ForegroundColor Cyan


---

Incident Response Priorities

T-Minus Detection Checklist

If you suspect LockBit5 activity, verify these indicators immediately:

  1. Mass File Deletion: Check for vssadmin.exe delete shadows or wbadmin.exe delete catalog in logs.
  2. PowerShell Encoded Commands: Look for powershell.exe -enc commands with high entropy.
  3. Domain Controller Logs: Check Event ID 4742 (Computer object changed) for unexpected "samAccountName" or "scriptPath" modifications.

Critical Assets for Exfiltration

LockBit5 prioritizes exfiltrating:

  • Healthcare: Patient databases (EMR/EHR), MRI/X-Ray archives, insurance billing records.
  • Manufacturing: CAD/CAM designs, proprietary formulas, supply chain manifests.
  • Financial: ACH transaction logs, customer SSNs/Tax IDs.

Containment Actions (Ordered by Urgency)

  1. Isolate: Disconnect VPN concentrators (especially Cisco ASA/FMC) and exposed web servers from the internal network immediately.
  2. Revoke Credentials: Force-reset passwords for all service accounts (especially those running email services).
  3. Block IP Segments: Block outbound traffic to known TOR exit nodes and non-business essential geographies.

Hardening Recommendations

Immediate (24 Hours)

  • Patch CVE-2026-20131 & CVE-2026-23760: Apply the Cisco FMC and SmarterMail patches immediately. If patching is not possible, disable external access to these management interfaces via firewall ACLs.
  • Disable RDP: Ensure Remote Desktop is not exposed to the internet. Enforce MFA for all remote access via VPN or Zero Trust gateway.
  • Phishing Awareness: Alert staff to healthcare/HR themed phishing emails, as SmarterMail exploits often facilitate internal phishing.

Short-Term (2 Weeks)

  • Network Segmentation: Implement strict micro-segmentation. Prevent lateral movement from web DMZs to the internal database network.
  • Zero Trust Architecture: Transition to a model where all access requests, internal or external, are verified explicitly based on identity, device health, and trust.
  • EDR Tuning: Update EDR policies to alert on unsigned PowerShell scripts and the execution of common admin tools (7zip, PsExec) from non-admin workstations.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-ganglockbit5ransomwarehealthcaremanufacturingcve-2026-20131initial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action