Back to Intelligence

LOCKBIT5: Global Multi-Sector Campaign Exploiting Perimeter Vulnerabilities — Healthcare & Manufacturing Under Siege

SA
Security Arsenal Team
June 20, 2026
8 min read

Threat Actor Profile — LOCKBIT5

LOCKBIT5 represents the latest evolution of the notorious LockBit ransomware family, which has dominated the threat landscape since 2019. Operating as a sophisticated Ransomware-as-a-Service (RaaS) platform, LockBit5 utilizes an affiliate model where core developers maintain the encryption code while affiliates handle initial access and post-compromise operations.

Key Characteristics:

  • Ransom Demands: Typically $500K-$10M depending on victim size and revenue, with demands often increasing as deadlines approach
  • Initial Access Methods: Phishing campaigns, VPN exploitation (CVE-2026-50751), RDP brute force, and supply chain compromises
  • Double Extortion Approach: Encrypts victim systems while exfiltrating sensitive data, threatening public release if ransoms aren't paid
  • Average Dwell Time: 3-15 days before detonation, with affiliates prioritizing credential harvesting and lateral movement
  • Known TTPs: Uses advanced tools for lateral movement (PsExec, WMI, Cobalt Strike beacons), disables security services via PowerShell, and employs VSS shadow deletion to prevent recovery

Current Campaign Analysis

Sectors Under Attack

The recent campaign demonstrates broad targeting across multiple verticals:

  • Healthcare: 4 victims (teleton.org.hn, sanatoriodelta.com, primelinkbio.com)
  • Manufacturing: 3 victims (venelectronics.com, union-chemical.co.th, parampackaging.com)
  • Business Services: 2 victims (sra.nl, saico.co.th)
  • Education: 1 victim (utb.edu.vn)
  • Public Sector: 1 victim (saude.mt.gov.br)
  • Technology: 1 victim (sparkinter.com)
  • Hospitality: 1 victim (parkviewtaipei.com)

Geographic Distribution

This campaign demonstrates truly global reach with victims across 12 countries:

  • Asia-Pacific: Vietnam, Thailand, Taiwan (5 victims)
  • Europe: Austria, Netherlands (2 victims)
  • Americas: USA, Honduras, Brazil, Colombia, Venezuela, Puerto Rico (6 victims)
  • Middle East/Africa: Mauritius (1 victim)

Victim Profile

The victim roster suggests LOCKBIT5 affiliates are targeting a mix of SMBs ($5M-$50M revenue) and larger enterprises. The healthcare focus aligns with the group's historical targeting of organizations with time-sensitive operations and lower tolerance for downtime, creating leverage for ransom negotiations.

Posting Frequency & Escalation Patterns

LOCKBIT5 exhibited a coordinated bulk posting approach with 14 victims published on 2026-06-17, followed by an additional victim on 2026-06-19. This pattern suggests multiple affiliates operating simultaneously rather than a single operator.

Initial Access Vectors

Based on the associated CVEs and victim profiles, we assess with high confidence that LOCKBIT5 affiliates are exploiting:

  • CVE-2026-50751 (Check Point Security Gateway) - explaining the multinational victim distribution across varied security postures
  • CVE-2024-1708 (ConnectWise ScreenConnect) - consistent with attacks on MSPs and their downstream clients
  • CVE-2023-21529 (Microsoft Exchange Server) - enabling credential harvesting and initial persistence
  • CVE-2026-20131 (Cisco Secure Firewall Management Center) - allowing security infrastructure bypass

Detection Engineering

SIGMA Rules

YAML
---
title: Potential LockBit5 Affiliate Activity - Check Point Gateway Exploitation
id: 49e3f26b-a21b-4465-b9a9-4c6c2e6d72aa
description: Detects potential exploitation of CVE-2026-50751 and subsequent LockBit5 activity
status: experimental
date: 2026/06/20
references:
    - https://securityarsenal.com/threat-intelligence/lockbit5
author: Security Arsenal Threat Intel Team
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2026.50751
    - ransomware.lockbit5
logsource:
    product: firewall
detection:
    selection:
        dest_port: 500
        protocol: udp
    filter_ike:
        action|contains: 'accept'
    condition: selection and not filter_ike
falsepositives:
    - Legitimate IKEv1 traffic
level: high
---
title: LockBit5 Pre-Encryption Data Staging Pattern
id: 3f8d45a2-b5c7-4d9e-a7f3-8c9e1d2f6a8b
description: Detects data exfiltration patterns consistent with LockBit5 affiliate operations
status: experimental
date: 2026/06/20
references:
    - https://securityarsenal.com/threat-intelligence/lockbit5
author: Security Arsenal Threat Intel Team
tags:
    - attack.exfiltration
    - attack.t1041
    - ransomware.lockbit5
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140
        ShareName|contains:
            - 'ADMIN$'
            - 'C$'
            - 'IPC$'
    filter_legitimate:
        SubjectUserName|contains:
            - 'ADMIN'
            - 'svc_'
    timeframe: 1h
    condition: selection and not filter_legitimate | count() > 5
falsepositives:
    - Legitimate administrative access
    - Backup operations
level: critical
---
title: LockBit5 WMI Lateral Movement Indicator
id: 7a6c2d9e-8f4b-4a2e-c5d3-1e9f8a7b6c5d
description: Detects WMI execution patterns commonly used by LockBit5 for lateral movement
status: experimental
date: 2026/06/20
references:
    - https://securityarsenal.com/threat-intelligence/lockbit5
author: Security Arsenal Threat Intel Team
tags:
    - attack.lateral_movement
    - attack.t1047
    - ransomware.lockbit5
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\\wmiprvse.exe'
        CommandLine|contains:
            - 'Create'
            - 'Invoke-CimMethod'
    filter_legitimate:
        SubjectUserName|contains:
            - 'NT AUTHORITY\\SYSTEM'
            - 'NT SERVICE\\'
    condition: selection and not filter_legitimate
falsepositives:
    - Legitimate system administration
level: high

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for LockBit5 lateral movement and data staging indicators
let Timeframe = 7d;
let CommonAdminTools = dynamic(["powershell.exe", "cmd.exe", "psexec.exe", "wmic.exe"]);
let SuspiciousProcesses = materialize(
    DeviceProcessEvents
    | where Timestamp > ago(Timeframe)
    | where ProcessVersionInfoCompanyName has_any ("Microsoft", "Sysinternals") == false
    | where FileName in~ (CommonAdminTools)
    | where InitiatingProcessAccountName !contains "ADMIN"
    | summarize count(), make_set(ProcessCommandLine, 100) by DeviceName, FileName, InitiatingProcessAccountName
    | where count_ > 3
);
let LargeFileOperations = materialize(
    DeviceFileEvents
    | where Timestamp > ago(Timeframe)
    | where FileSize > 100000000 // Files larger than 100MB
    | where ActionType =~ "FileCreated" or ActionType =~ "FileModified"
    | summarize count(), make_set(FileName, 50), make_set(FolderPath, 20) by DeviceName, InitiatingProcessAccountName
    | where count_ > 10
);
SuspiciousProcesses
| join kind=fullouter LargeFileOperations on DeviceName
| project DeviceName, FileName, count_, ProcessCommandLine_set, InitiatingProcessAccountName, FileOperationsCount = count__1, FileNames_set, FolderPaths_set
| where isnotempty(count_) or isnotempty(FileOperationsCount)
| order by coalesce(count_, 0) desc, coalesce(FileOperationsCount, 0) desc

Rapid-Response PowerShell Script

PowerShell
# LockBit5 Rapid Response Detection Script
# Author: Security Arsenal Threat Intel Team
# Purpose: Detect indicators of LockBit5 activity and potential compromise

Write-Host "Starting LockBit5 Indicator Scan..." -ForegroundColor Cyan

# Check for recently created scheduled tasks (potential persistence mechanism)
Write-Host "\n[+] Checking for recently created scheduled tasks..." -ForegroundColor Yellow
$RecentTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($RecentTasks) {
    Write-Host "WARNING: Found $($RecentTasks.Count) scheduled tasks created in the last 7 days:" -ForegroundColor Red
    $RecentTasks | Format-List TaskName, Date, Author, Actions
} else {
    Write-Host "No suspicious scheduled tasks found." -ForegroundColor Green
}

# Check for unusual RDP connections
Write-Host "\n[+] Checking for recent RDP connections..." -ForegroundColor Yellow
$RDPEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddDays(-3)} -ErrorAction SilentlyContinue |
    Where-Object {$_.Message -like '*Logon Type: 10*'} |
    Select-Object TimeCreated, @{n='User';e={$_.Properties[5].Value}}, @{n='IP';e={$_.Properties[18].Value}} |
    Group-Object IP | Where-Object {$_.Count -gt 5}

if ($RDPEvents) {
    Write-Host "WARNING: Found IPs with excessive RDP connections:" -ForegroundColor Red
    $RDPEvents | Format-Table Name, Count -AutoSize
} else {
    Write-Host "No suspicious RDP activity detected." -ForegroundColor Green
}

# Check for deleted or modified Volume Shadow Copies
Write-Host "\n[+] Checking Volume Shadow Copy status..." -ForegroundColor Yellow
try {
    $VSSStatus = vssadmin list shadows /for=c:
    if ($VSSStatus -like "No shadow copies found") {
        Write-Host "WARNING: No shadow copies found on C: drive. This may indicate deletion." -ForegroundColor Red
    } else {
        Write-Host "Shadow copies exist on C: drive." -ForegroundColor Green
    }
} catch {
    Write-Host "Could not check shadow copy status: $_" -ForegroundColor Yellow
}

# Check for processes with suspicious parent-child relationships
Write-Host "\n[+] Checking for suspicious process relationships..." -ForegroundColor Yellow
$SuspiciousParents = @("winword.exe", "excel.exe", "powershell.exe")
$SuspiciousChildren = @("cmd.exe", "powershell.exe", "wscript.exe")

Get-WmiObject Win32_Process | Where-Object {
    $_.ParentProcessId -ne 0 -and 
    $SuspiciousParents -contains (Get-Process -Id $_.ParentProcessId -ErrorAction SilentlyContinue).ProcessName -and 
    $SuspiciousChildren -contains $_.ProcessName
} | ForEach-Object {
    $Parent = Get-Process -Id $_.ParentProcessId -ErrorAction SilentlyContinue
    Write-Host "WARNING: Suspicious process chain detected: $($Parent.ProcessName) -> $($_.ProcessName) (PID: $($_.ProcessId))" -ForegroundColor Red
}

Write-Host "\nScan complete. If any warnings were detected, initiate incident response procedures immediately." -ForegroundColor Cyan

Incident Response Priorities

T-Minus Detection Checklist

Before encryption begins, watch for these indicators:

  • Unusual PowerShell command-line arguments, particularly those combining encoding and file operations
  • Scheduled tasks created in the past 48 hours, especially those with SYSTEM privileges
  • Massive data transfers to cloud storage or unknown external IPs
  • Remote desktop connections from unusual geographic locations
  • Sudden changes to system privileges or creation of new administrative accounts
  • Unexpected disabling of security services (Windows Defender, EDR agents)
  • Execution of uncommon binaries from temporary directories
  • Sharp increases in WMI or scheduled task activity outside business hours

Critical Assets Prioritized for Exfiltration

LOCKBIT5 affiliates historically target these assets first:

  • Customer databases containing PII (Personally Identifiable Information)
  • Financial records, including payroll and banking information
  • Research and development data and intellectual property
  • Executive communications and confidential documents
  • HR files with employee personal information
  • Patient records (for healthcare targets)

Containment Actions Ordered by Urgency

  1. IMMEDIATE (0-2 hours): Isolate affected systems from the network
  2. CRITICAL (2-6 hours): Temporarily disable VPN and RDP access
  3. HIGH (6-12 hours): Patch CVE-2026-50751 (Check Point) and CVE-2024-1708 (ScreenConnect)
  4. HIGH (12-24 hours): Review and reset credentials for privileged accounts
  5. MEDIUM (24-48 hours): Implement network segmentation to limit lateral movement

Hardening Recommendations

Immediate (24 hours)

  • Patch Critical Vulnerabilities: Deploy patches for CVE-2026-50751 and CVE-2024-1708 immediately
  • Enable MFA: Implement multifactor authentication on all VPN, RDP, and critical application access
  • Disable Unused Protocols: Temporarily disable RDP and SMBv1 where not operationally required
  • Block Outbound Connections: Restrict outbound connections to known non-business domains and IP ranges
  • Review Firewall Rules: Audit and tighten remote access rules, especially on Check Point and Cisco devices
  • Credential Reset: Force password resets for all privileged and service accounts

Short-term (2 weeks)

  • Zero Trust Implementation: Deploy Zero Trust network access controls for all critical systems
  • Application Whitelisting: Implement strict allowlisting for PowerShell, WMI, and administrative tools
  • Comprehensive Vulnerability Assessment: Complete assessment for CVE-2023-21529 and CVE-2026-20131
  • Network Segmentation: Enhance segmentation to isolate critical systems from general network traffic
  • Advanced Threat Detection: Deploy behavioral analytics to detect anomalous data transfers and lateral movement
  • Offline Backups: Ensure critical data is backed up offline and regularly tested for restoration

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-ganglockbit5ransomwarehealthcare-targetsmanufacturing-attackscve-exploitationperimeter-breaches

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action