Threat Level: CRITICAL Date: 2026-04-15 Analyst: Security Arsenal Intel Unit
Threat Actor Profile — LOCKBIT5
LOCKBIT5 (evolution of the LockBit 3.0/Supp architecture) remains the most prolific Ransomware-as-a-Service (RaaS) operation in the criminal ecosystem. Operating on an affiliate model, LOCKBIT5 provides a highly customizable encryptor to a wide network of criminal affiliates who conduct initial access and lateral movement in exchange for a cut of the ransom proceeds.
- Ransom Demands: Variable, generally ranging from $500k to $10m+ USD depending on victim revenue and data sensitivity. Negotiations are aggressive.
- Initial Access: Historically relies on phishing, exploited Remote Desktop Protocol (RDP), and valid credentials purchased from initial access brokers. However, recent trends show a heavy pivot toward exploiting internet-facing appliances (VPNs, Firewalls) for unauthenticated entry.
- Tactics: Aggressive double and triple extortion (encryption + data leak + DDoS).
- Dwell Time: Typically 3–14 days. Affiliates spend time enumerating Active Directory, exfiltrating terabytes of data to cloud storage (often MEGA or Mega.nz), and disabling security solutions before detonation.
Current Campaign Analysis
Based on victim postings from April 3–13, 2026, LOCKBIT5 affiliates are executing a high-velocity campaign targeting critical operational sectors.
Sector Targeting
The victim breakdown indicates a shift toward high-uptime sectors where pressure to pay is highest:
- Healthcare: 20% of recent victims (e.g.,
decaturdiagnosticlab.net,nucleodediagnostico.mx). - Manufacturing: 27% of recent victims (e.g.,
cegasa.com,shunhinggroup.com), likely for IP theft and business disruption leverage. - Public Sector & Finance: Significant hits in Peru (
comunidadandina.org) and Venezuela (fondonorma.org.ve).
Geographic Distribution
The campaign is aggressively trans-regional, with heavy concentrations in the Americas (US, MX, DO, PE, VE) and Europe (ES, IT, RO, PT), with recent expansion into Asia-Pacific (JP, HK).
CVE Connection & Vectors
There is a high correlation between recent victim perimeter footprints and the CISA KEV list. We assess with high confidence that affiliates are weaponizing:
- CVE-2026-20131 (Cisco Secure Firewall FMC): Allows unauthenticated deserialization leading to RCE. Victims like
cegasa.comandwibeats.itlikely utilize this enterprise-grade tech stack. - CVE-2025-5777 (Citrix NetScaler): A persistent favorite for ransomware groups to bypass perimeter authentication.
- CVE-2026-23760 (SmarterMail): Access to email servers provides a beachhead for internal phishing and credential harvesting.
Detection Engineering
SIGMA Rules
YAML
title: Potential LOCKBIT5 Lateral Movement via PsExec
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects the use of PsExec for lateral movement, a common post-exploitation technique used by LockBit affiliates to spread the encryptor.
status: experimental
date: 2026/04/15
author: Security Arsenal
references:
- https://securityarsenal.com/threat-intel
tags:
- attack.execution
- attack.lateral_movement
- detection.emerging_threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\psexec.exe'
- '\psexec64.exe'
CommandLine|contains:
- 'accepteula'
condition: selection
falsepositives:
- Legitimate administrative administration
level: high
---
title: Ransomware Behavior - VSS Shadow Copy Deletion
id: b2c3d4e5-6789-01ab-cdef-234567890abc
description: Detects commands used to delete Volume Shadow Copies, a precursor step often taken by LockBit before encryption to prevent recovery.
status: experimental
date: 2026/04/15
author: Security Arsenal
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\vssadmin.exe'
- '\wmic.exe'
deletion_keywords:
CommandLine|contains:
- 'delete shadows'
- 'shadowstorage delete'
condition: all of selection*
falsepositives:
- System administration scripts (rare)
level: critical
---
title: Suspicious PowerShell Encoded Command
id: c3d4e5f6-7890-12ab-cdef-345678901bcd
description: Detects PowerShell commands with encoded payloads, frequently used by LockBit loaders to bypass AV detection.
status: experimental
date: 2026/04/15
author: Security Arsenal
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
CommandLine|contains:
- ' -e '
- ' -Enc '
- ' -enc '
- 'EncodedCommand'
filter_legit:
ParentImage|contains:
- '\Program Files\\'
condition: selection and not filter_legit
falsepositives:
- System management tools
level: medium
KQL (Microsoft Sentinel)
Hunt for lateral movement signs consistent with LockBit affiliate activity.
KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ('psexec.exe', 'psexec64.exe', 'wmic.exe', 'wmi.exe')
| where ProcessCommandLine has_any ('accepteula', 'process call', 'create')
| extend DeviceCustom = pack_all()
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
PowerShell Response Script
Check for Scheduled Tasks created recently—a common persistence mechanism for LockBit droppers.
PowerShell
# Author: Security Arsenal Response Team
# Description: Hunts for Scheduled Tasks created in the last 7 days.
$DateCutoff = (Get-Date).AddDays(-7)
$SuspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt $DateCutoff }
if ($SuspiciousTasks) {
Write-Host "[ALERT] Suspicious Scheduled Tasks found created since $DateCutoff:" -ForegroundColor Red
$SuspiciousTasks | Format-List TaskName, TaskPath, Date, Author, Actions
} else {
Write-Host "[OK] No scheduled tasks created in the last 7 days." -ForegroundColor Green
}
# Check for common LockBit process extensions
$LockBitProcesses = Get-Process | Where-Object { $_.ProcessName -like "*.lockbit*" -or $_.MainWindowTitle -like "*LOCKBIT*" }
if ($LockBitProcesses) {
Write-Host "[CRITICAL] LockBit related processes detected!" -ForegroundColor Red
$LockBitProcesses
}
---
Incident Response Priorities
If a compromise is suspected, the following T-minus checklist is critical for LOCKBIT5:
- T-60 Minutes (Immediate Containment): Isolate affected VLANs. If VPN access is suspected, revoke all VPN credentials immediately and force MFA resets.
- Identify Critical Assets: LOCKBIT5 prioritizes exfiltration of PII/PHI (Healthcare), CAD/Blueprint files (Manufacturing), and Financial SQL Databases. Check cloud storage logs (OneDrive, MEGA, Dropbox) for unauthorized mass uploads.
- Hunt for the Stealer: Look for
sharp-hsshormimikatzoutput files. They use these to dump credentials before moving laterally. - Scan for Open Shares: LOCKBIT5 spreads via SMB. Identify open Admin shares (
C$,ADMIN$) and close them.
Hardening Recommendations
Immediate (24 Hours)
- Patch Critical Perimeter: Immediately patch CVE-2026-20131 (Cisco FMC) and CVE-2025-5777 (Citrix NetScaler). These are currently active exploitation vectors.
- Disable RDP from Internet: Ensure RDP (TCP 3389) is not accessible from the internet. Enforce VPN-only access with MFA.
- Audit SmarterMail: If running SmarterMail, patch CVE-2026-23760 immediately.
Short-term (2 Weeks)
- Network Segmentation: Ensure high-value assets (EHR systems, SCADA controllers) are in separate VLANs with strict firewall rules limiting lateral movement (SMB/RPC).
- Implement Phishing-Resistant MFA: Move to FIDO2/WebAuthn. LOCKBIT5 affiliates frequently bypass standard TOTP MFA using AiTM (Adversary-in-the-Middle) kits.
- EDR Coverage Rollout: Ensure EDR agents are deployed on edge devices and servers, not just workstations.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-ganglockbit5ransomwaremanufacturinghealthcarecve-2026-20131cisa-kev
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.