Back to Intelligence

LOCKBIT5 Global Offensive: Critical Infrastructure Exploits & Healthcare Sector Targeting

SA
Security Arsenal Team
June 20, 2026
6 min read

Excerpt

LOCKBIT5 releases 15 new victims, exploiting CVE-2024-1708 and VPN flaws. Healthcare and Manufacturing sectors are prime targets; patch immediately.

Threat Actor Profile — LOCKBIT5

LOCKBIT5 represents the latest evolution of the notorious LockBit RaaS ecosystem. Operating under a highly successful affiliate model, the group provides sophisticated encryption binaries to a network of criminal sub-operators in exchange for a cut of the ransom profits.

  • Model: Ransomware-as-a-Service (RaaS).
  • Ransom Demands: Typically range from $500,000 to $10 million, escalating based on victim revenue and perceived urgency.
  • Initial Access: Historically relies on phishing for initial entry, but has aggressively pivoted to exploiting vulnerabilities in external-facing perimeter devices (Check Point, Cisco Fortinet) and remote management software (ConnectWise ScreenConnect, RDP).
  • Tactics: Aggressive double extortion. The gang steals sensitive data prior to encryption and threatens to release it on their .onion leak site if payment is not received.
  • Dwell Time: LockBit affiliates are known for speed-to-impact. Average dwell time is often between 3 to 5 days from initial compromise to encryption, giving defenders a very narrow window to detect and eject the attacker.

Current Campaign Analysis

Sectors & Geography

Based on the 15 victims posted between June 17-19, 2026, LOCKBIT5 is executing a geographically diverse campaign with a specific focus on critical societal functions:

  • Targeted Sectors:

    • Healthcare (20%): teleton.org.hn (Honduras), sanatoriodelta.com (Colombia), primelinkbio.com (USA).
    • Manufacturing (20%): venelectronics.com (Venezuela), union-chemical.co.th (Thailand), parampackaging.com (Turkey).
    • Business Services & Tech: sra.nl (Netherlands), sparkinter.com (Technology), saico.co.th (Thailand).
    • Public Sector & Education: saude.mt.gov.br (Brazil - Public Health), utb.edu.vn (Vietnam - Education).

  • Geographic Concentration: The campaign shows a "spray and pray" approach with distinct clusters in Southeast Asia (Vietnam, Thailand) and Latin America (Venezuela, Brazil, Colombia), alongside high-value targets in the US and Europe.

Victim Profile & CVE Connection

  • Victim Profile: The targets range from regional government bodies (Brazil) to multinational manufacturing entities (Union Chemical). The inclusion of sra.nl suggests a willingness to attack Western European business services, likely for intellectual property theft.
  • CVE Correlation: The confirmed exploitation of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-50751 (Check Point Security Gateway) provides a clear technical narrative for the victim list.
    • Business Services (sra.nl) and Technology (sparkinter.com) victims likely fell via the ScreenConnect vulnerability, a common vector for managed service providers (MSPs).
    • The geo-dispersed nature of the Manufacturing victims suggests compromise via VPN gateways (Check Point/Cisco CVEs) used for remote industrial access.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ConnectWise ScreenConnect Path Traversal Exploitation
id: 471a3c5f-4c12-45a7-b1e4-9325d1c8f9e1
status: experimental
description: Detects potential exploitation of CVE-2024-1708 in ConnectWise ScreenConnect via suspicious URI paths
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/06/21
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/App_Extensions/'
            - '/LiveChatHandler.ashx'
            - 'Authorization: Bearer'
    condition: selection
falsepositives:
    - Legitimate administrative access
level: critical
---
title: Suspicious IKEv1 Key Exchange Anomalies on Check Point Gateways
id: 58d2e4f1-6a3b-4c8d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects anomalies indicative of CVE-2026-50751 exploitation attempts on Check Point Security Gateways
author: Security Arsenal
date: 2026/06/21
logsource:
    product: firewall
    definition: Check Point Logs
detection:
    selection_ikev1:
        product: 'VPN'
        service: 'ike'
        ike_version: '1'
    selection_auth_fail:
        action: 'decrypt' 
        details|contains: 'authentication failed'
    condition: all of selection_*
falsepositives:
    - Misconfigured VPN clients
level: high
---
title: LOCKBIT5 Potential Process Injection Pattern
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects suspicious process execution patterns often used by LockBit affiliates for lateral movement and defense evasion
author: Security Arsenal
date: 2026/06/21
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\rundll32.exe'
    selection_cli:
        CommandLine|contains:
            - ' -encodedcommand '
            - ' /c '
            - 'regsvr32.exe /s '
            - 'Invoke-Expression'
    selection_suspicious_files:
        CommandLine|contains:
            - '.dll,'
            - 'AppData\Local\Temp'
    condition: all of selection_*
falsepositives:
    - Administrative scripting
level: high

Hunting Query (KQL)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement indicators common in LockBit campaigns
DeviceProcessEvents
| where Timestamp > ago(3d)
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wmiprvse.exe")
| where FileName in~ ("schtasks.exe", "wmic.exe", "net.exe", "netsh.exe")
| where ProcessCommandLine has "create" or ProcessCommandLine has "add" or ProcessCommandLine has "user"
| distinct DeviceId, AccountName, FileName, ProcessCommandLine
| project DeviceId, AccountName, ProcessCommandLine, Timestamp

Rapid Response Script (PowerShell)

PowerShell
# Audit for Ransomware Indicators of Compromise (IOC)
Write-Host "Checking for recent scheduled tasks..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.State -eq 'Ready'} | ForEach-Object {
    $task = $_
    $info = Export-ScheduledTask -TaskName $task.TaskName -TaskPath $task.TaskPath
    if ($info -match "powershell.*-enc" -or $info -match "http://") {
        Write-Host "Suspicious Task Found: $($task.TaskName)" -ForegroundColor Red
        $info
    }
}

Write-Host "Checking Volume Shadow Copy status..." -ForegroundColor Yellow
vssadmin list shadows

Write-Host "Checking for unexpected RDP connections..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-24)} | Where-Object {$_.Message -match "Logon Type:\s+10"} | Select-Object TimeCreated, @{n='User';e={$_.Properties[5].Value}}, @{n='IP';e={$_.Properties[19].Value}}

Incident Response Priorities

  1. T-minus Detection Checklist:

    • Immediately review VPN logs (Check Point, Cisco) for high volumes of IKEv1 auth failures or successful logins from anomalous geolocations (specifically VN, TH, HN, BR).
    • Inspect web server logs for ScreenConnect exploitation paths (/App_Extensions/, Authorization: Bearer anomalies).
    • Hunt for schtasks.exe creating tasks with names like "Update", "Defender", or "Windows" that run PowerShell with encoded commands.

  2. Critical Asset Prioritization:

    • LOCKBIT5 historically exfiltrates PII/PHI (Patient Health Information) and Intellectual Property. Focus containment efforts on Database servers and Document Management Systems.
    • Prioritize the protection of Active Directory domain controllers to prevent wide-scale lateral movement.

  3. Containment Actions (Ordered by Urgency):

    • Isolate: Disconnect identified compromised VPN gateways and ScreenConnect servers from the network immediately.
    • Reset: Force reset of credentials for all privileged accounts that have logged into the affected gateways in the last 30 days.
    • Block: Implement network ACLs blocking outbound C2 traffic on non-standard ports commonly used by Cobalt Strike (often 443, but randomized) and known LOCKBIT5 IP ranges.

Hardening Recommendations

  • Immediate (24h):

    • Apply the patch for CVE-2024-1708 (ConnectWise ScreenConnect) to all instances immediately.
    • Update Check Point Security Gateways to address CVE-2026-50751; if patching is not feasible, disable IKEv1 and enforce IKEv2.
    • Enable Multi-Factor Authentication (MFA) on all VPN, RDP, and remote access interfaces.

  • Short-term (2 weeks):

    • Network Segmentation: Restrict lateral movement by isolating OT (Manufacturing) and Clinical (Healthcare) networks from the general IT administrative network.
    • Egress Filtering: Configure firewalls to block outbound traffic from internal servers to the internet, allowing only necessary business traffic.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-ganglockbit5ransomwarehealthcaremanufacturinginitial-accesscve-2024-1708

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action