LOCKBIT5: Global Surge in Healthcare & Manufacturing Attacks — Active Exploitation of Critical Cisco & SmarterMail Vulnerabilities

Overview: LOCKBIT5 represents the latest evolution of the notorious LockBit ransomware-as-a-service (RaaS) operation. Following law enforcement disruptions (Operation Cronos), the group has rebranded and resurged with a revitalized affiliate network and improved encryptors. They operate on a sophisticated RaaS model, splitting profits with affiliates who conduct the intrusions.

Tactics & Procedures:

• Ransom Demands: Highly variable, typically ranging from $500k to $10M+ USD, dictated by victim revenue and data sensitivity.
• Initial Access: Heavily reliant on exploiting external-facing services (VPN appliances, Email servers) and Valid Accounts obtained via initial access brokers. Phishing with macro-laden documents remains a secondary vector.
• Extortion Model: Triple extortion standard—encrypting files, threatening to leak data on their dark web .onion site, and DDoS attacks to pressure negotiation.
• Dwell Time: Often rapid. Automation in their toolset allows for encryption within 3 to 5 days of initial access, though some affiliates dwell longer to maximize data theft.

Current Campaign Analysis

Sector Targeting: The latest victim dump (15 recent postings) indicates a distinct pivot towards critical infrastructure support and production:

• Healthcare (20% of recent victims): High-value targets (e.g., decaturdiagnosticlab.net, nucleodediagnostico.mx) suggesting a focus on exfiltrating PII/PHI to force rapid payment.
• Manufacturing (26% of recent victims): Global industrial targets (e.g., cegasa.com (ES), shunhinggroup.com (HK)), aiming to disrupt production lines.
• Public Sector & Finance: Continued targeting of regional government bodies (comunidadandina.org) and financial standards bodies (fondonorma.org.ve).

Geographic Concentration: The campaign is globally dispersed but heavily concentrated in the Americas (US, DO, MX, VE, PE). Recent activity also spans Southern Europe (ES, IT, RO, FR) and Asia-Pacific (JP, HK).

Victim Profile: Targets are mid-to-large enterprises with revenue typically between $50M and $1B. The selection of vitropor.pt (Manufacturing) and cegasa.com (Industrial battery manufacturing) suggests affiliates are specifically targeting supply chain entities.

Exploited Vulnerabilities (Initial Access Vectors): There is a high correlation between recent victims and the exploitation of vulnerabilities added to the CISA KEV catalog in Q1 2026:

• CVE-2026-20131 (Cisco Secure Firewall FMC): Critical deserialization flaw allowing unauthenticated RCE. Likely used for perimeter breach in technology and financial sectors.
• CVE-2026-23760 (SmarterTools SmarterMail): Auth bypass using alternate paths. This is a probable vector for the recent Healthcare/ISP victims (marti.do, nucleodediagnostico.mx) relying on email gateways.
• CVE-2025-5777 (Citrix NetScaler): Persistent exploitation for initial network access.

Detection Engineering

The following detection rules and scripts are designed to identify the specific behaviors exhibited by LOCKBIT5 affiliates during the recent campaign, focusing on the exploitation of the listed CVEs and subsequent lateral movement.

---
title: Potential SmarterMail Authentication Bypass (CVE-2026-23760)
id: c7e88b3c-5f6a-4c5c-8e2b-1a2b3c4d5e6f
description: Detects potential authentication bypass attempts on SmarterMail servers leveraging the alternate path vulnerability, often used as an initial access vector by LockBit5.
status: experimental
date: 2026/04/16
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains: '/Services/Mail.asmx'
        cs-method: 'POST'
    filter:
        sc-status:
            - 200
            - 500
    condition: selection and filter
falsepositives:
    - Legitimate API usage via legacy clients
level: critical
tags:
    - attack.initial_access
    - cve.2026.23760
    - ransomware.lockbit5
---
title: Suspicious PsExec Service Installation (Lateral Movement)
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Identifies the installation of services with characteristics typical of PsExec or similar remote execution tools used by LockBit for lateral movement.
status: experimental
date: 2026/04/16
author: Security Arsenal Research
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains:
            - 'cmd.exe /c'
            - 'powershell.exe -'
            - 'PSEXESVC'
    condition: selection
falsepositives:
    - Legitimate administrative software deployment
level: high
tags:
    - attack.lateral_movement
    - attack.t1021.002
    - ransomware.lockbit5
---
title: Mass File Encryption Activity (Ransomware)
id: f9e8d7c6-b5a4-4e3d-9c2b-1a0f9e8d7c6b
description: Detects potential ransomware activity by identifying processes that rapidly modify a high number of files across different directories, characteristic of LockBit5 encryption speed.
status: experimental
date: 2026/04/16
author: Security Arsenal Research
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 2
    timeframe: 1m
    condition: selection | count() > 50
falsepositives:
    - Legitimate bulk file updates (software updates, backups)
level: critical
tags:
    - attack.impact
    - attack.t1486
    - ransomware.lockbit5


kql
// Hunt for lateral movement and staging indicators associated with LockBit5 affiliates
// Focus: Remote Service Creation (PsExec) and unusual SMB file copies
let TimeFrame = ago(7d);
DeviceProcessEvents
| where Timestamp >= TimeFrame
| where InitiatingProcessFileName in~ ("psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe")
| where ProcessCommandLine has_any ("remote", "create", "install")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine
| union (
    DeviceFileEvents
    | where Timestamp >= TimeFrame
    | where ActionType == "FileCreated"
    | where FileName endswith ".locked" or FileName endswith ".lockbit" or FolderPath contains "\\" // Possible staging
    | summarize count() by DeviceName, FolderPath, bin(Timestamp, 5m)
    | where count_ > 20
)
| order by Timestamp desc


powershell
<#
.SYNOPSIS
    LockBit5 Rapid Response Hardening Script
.DESCRIPTION
    Checks for common persistence mechanisms used by LockBit5 affiliates,
    enumerates recent scheduled tasks, and identifies exposed RDP sessions.
#>

Write-Host "[+] Starting LockBit5 Hardening Audit..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in the last 7 days (Persistence)
Write-Host "\n[*] Checking for recently created Scheduled Tasks (Last 7 Days)..." -ForegroundColor Yellow
$dateThreshold = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {$_.Date -ge $dateThreshold} | Select-Object TaskName, TaskPath, Date, Author

# 2. Check for active RDP sessions (Lateral Movement)
Write-Host "\n[*] Checking for active RDP sessions..." -ForegroundColor Yellow
$query = "SELECT * FROM Win32_LogonSession WHERE LogonType = 10"
Get-WmiObject -Query $query | ForEach-Object {
    $logonId = $_.LogonId
    $q = "ASSOCIATORS OF {Win32_LogonSession LogonId='$logonId'} WHERE AssocClass=Win32_LoggedOnUser"
    $user = Get-WmiObject -Query $q
    Write-Host "Active Session: $($user.Name) on $env:COMPUTERNAME"
}

# 3. Check for Shadow Copy deletions (Pre-encryption)
Write-Host "\n[*] Checking System Event Log for Shadow Copy Deletion events (VSS)..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7036; StartTime=$dateThreshold} -ErrorAction SilentlyContinue | 
Where-Object {$_.Message -like '*Shadow Copies*' -and $_.Message -like '*stopped*'} | 
Select-Object TimeCreated, Message | Format-List

Write-Host "\n[+] Audit Complete." -ForegroundColor Green

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption):

1. Hunt for CVE-2026-23760: Review web server logs for SmarterMail authentication bypass attempts.
2. Anomalous Service Creation: Look for services named PSEXESVC or random strings running cmd.exe or powershell.exe.
3. Data Staging: Monitor for sudden spikes in file read operations (via EDR telemetry) targeting user shares or database exports.

Critical Assets Prioritized for Exfiltration:

• Healthcare: Patient databases (PACS/EHR), billing records, insurance information.
• Manufacturing: CAD drawings, IP, client lists, and ERP systems (SAP/Oracle).
• Public Sector: Citizen PII, tax records, and sensitive legal documents.

Containment Actions (Ordered by Urgency):

1. Isolate: Segregate systems identified with signs of CVE-2026-20131 or CVE-2025-5777 exploitation immediately.
2. Disable Accounts: Suspend service accounts associated with the exploited SmarterMail or Cisco FMC instances.
3. Block IPs: Implement network blocks for known C2 infrastructure associated with recent LockBit5 campaigns (refer to your Threat Intelligence Platform).

Hardening Recommendations

Immediate (24 Hours):

• Patch Critical CVEs: Apply patches for CVE-2026-20131 (Cisco FMC) and CVE-2026-23760 (SmarterMail) immediately. If patching is not possible, disable the affected services or move them behind a zero-trust VPN with MFA.
• Audit Remote Access: Disable non-essential RDP access. Enforce strict MFA on all VPN and remote access gateways.

Short-Term (2 Weeks):

• Network Segmentation: Restrict lateral movement by isolating critical servers (Email, Database, Backup) from general user workstations via firewall rules and VLANs.
• Implement Phishing-Resistant MFA: Move to FIDO2/WebAuthn hardware keys for administrative and service accounts to mitigate credential theft.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub