Back to Intelligence

LOCKBIT5: Manufacturing & Healthcare Sectors Under Siege — Check Point & Cisco Firewall Exploits Detected

SA
Security Arsenal Team
June 21, 2026
6 min read

Date: 2026-06-22 Source: Dark Web Leak Site Monitoring / Ransomware.live Threat Level: CRITICAL

Threat Actor Profile — LOCKBIT5

Known Aliases: LockBit 5.0, LockBitSupra (suspected evolution) Operational Model: Ransomware-as-a-Service (RaaS) with aggressive affiliate recruitment. Typical Ransom Demands: $500,000 – $10,000,000+ USD, varying strictly by estimated revenue. Initial Access Vectors:

  • Exploitation of Edge Perimeter: Heavy focus on VPN and Firewall vulnerabilities (recently CVE-2026-50751, CVE-2026-20131).
  • Phishing: Macro-laced documents targeting specific supply chains.
  • RDP Brute Force: Targeting exposed 3389 ports with credentials harvested from info-stealers.

Double Extortion Approach: LOCKBIT5 continues the standard of exfiltrating sensitive data (PFI, IP, financials) prior to encryption. They utilize a "name-and-shame" tiered leak site structure: data is posted in stages if negotiation fails.

Average Dwell Time: 3–7 days. Recent intelligence suggests affiliates are moving faster to encrypt, reducing dwell time to under 72 hours to bypass EDR detection windows.

Current Campaign Analysis

Sectors Targeted: The latest campaign shows a distinct pivot towards high-value operational targets:

  • Manufacturing (30% of recent victims): venelectronics.com (VE), union-chemical.co.th (TH), parampackaging.com (TR).
  • Healthcare (20% of recent victims): teleton.org.hn (HN), sanatoriodelta.com (CO), primelinkbio.com (US).
  • Public Sector & Education: saude.mt.gov.br (BR), utb.edu.vn (VN).

Geographic Concentration: Highly dispersed operation with clusters in Southeast Asia (VN, TH), South America (BR, CO, VE), and North America/Europe (US, NL, AT). This suggests a distributed affiliate network rather than a single regional operation.

Victim Profile: Mid-to-large market entities. Targets like sra.nl (Business Services) and primelinkbio.com (Healthcare) indicate affiliates are selecting organizations with high data sensitivity and operational uptime requirements.

Observed Posting Frequency: Spike in postings on 2026-06-17 (15 victims posted in a single batch), indicating a "bulk publish" weekend strategy often used to overwhelm victim PR teams.

Connection to CVEs: There is a high-confidence correlation between the recent spike in Manufacturing and Business Services victims and the exploitation of CVE-2026-50751 (Check Point Security Gateway). Victims in these sectors often rely on perimeter VPNs that were vulnerable to the improper authentication vulnerability disclosed in early June 2026. Additionally, CVE-2024-1708 (ConnectWise ScreenConnect) is likely the vector for Business Services MSPs.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential LOCKBIT5 Affiliate Activity - Check Point Exploitation
id: 4d8a9e8f-1a2b-3c4d-5e6f-7g8h9i0j1k2l
description: Detects potential exploitation of CVE-2026-50751 involving IKEv1 anomalies or suspicious authentication attempts on Check Point gateways often used by LOCKBIT5 for initial access.
status: experimental
author: Security Arsenal Intel
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
date: 2026/06/22
tags:
    - attack.initial_access
    - cve.2026.50751
    - ransomware.lockbit5
logsource:
    category: firewall
detection:
    selection:
        product|contains: 'Check Point'
        action: 'accept' or 'decrypt'
        vpn_feature|contains: 'ike' or 'vpn'
    filter_legit:
        src_ip|cidr:
            - '192.168.0.0/16'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate remote admin VPN connections from unknown new IPs
level: high

---
title: LOCKBIT5 Lateral Movement via PsExec and WMI
id: 5b9a0f1g-2b3c-4d5e-6f7g-8h9i0j1k2l3m
description: Detects typical LOCKBIT5 lateral movement patterns using PsExec or WMI to deploy payloads across the network.
status: experimental
author: Security Arsenal Intel
date: 2026/06/22
tags:
    - attack.lateral_movement
    - attack.execution
    - car.2013-09-005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\psexec.exe'
        - Image|endswith: '\psexec64.exe'
        - Image|endswith: '\wmic.exe'
    selection_cli:
        CommandLine|contains:
            - 'accepteula'
            - 'process call create'
    condition: 1 of selection*
falsepositives:
    - System administration tasks
level: high

---
title: Ransomware Data Staging - Large Volume Archive Creation
id: 6c0b1g2h-3c4d-5e6f-7g8h-9i0j1k2l3m4n
description: Detects creation of large archive files (rar, zip, 7z) often used by LOCKBIT5 for data exfiltration prior to encryption.
status: experimental
author: Security Arsenal Intel
date: 2026/06/22
tags:
    - attack.exfiltration
    - attack.collection
logsource:
    category: file_creation
    product: windows
detection:
    selection_ext:
        TargetFilename|endswith:
            - '.zip'
            - '.rar'
            - '.7z'
    selection_size:
        FileSize|gt: 50000000  # 50MB
    timeframe: 5m
    condition: selection_ext and selection_size | count() > 2
falsepositives:
    - Legitimate system backups
level: medium

KQL Hunt Query (Microsoft Sentinel)

Hunts for rapid successive service executions or PowerShell commands often used in LockBit staging scripts.

KQL — Microsoft Sentinel / Defender
let TimeWindow = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeWindow)
| where InitiatingProcessFileName in ('powershell.exe', 'cmd.exe', 'powershell_ise.exe')
| where ProcessCommandLine has 'enc' or ProcessCommandLine has 'FromBase64String' or ProcessCommandLine has 'IEX'
| where FileName in ('vssadmin.exe', 'wbadmin.exe', 'bcdedit.exe', 'taskkill.exe')
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FileName
| order by Timestamp desc

Rapid Response Script

PowerShell script to identify potential ransomware precursors (Shadow Copy manipulation and scheduled tasks).

PowerShell
<#
.SYNOPSIS
    LockBit5 Incident Response - Hunt for Indicators of Compromise
.DESCRIPTION
    Checks for recent deletion of Shadow Copies and suspicious scheduled tasks added in the last 7 days.
#>

Write-Host "[+] Checking for recently deleted Volume Shadow Copies (Last 7 Days)..." -ForegroundColor Yellow
$Events = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; Id=12343; StartTime=(Get-Date).AddDays(-7)} -ErrorAction SilentlyContinue
if ($Events) { 
    $Events | Select-Object TimeCreated, Message | Format-Table -AutoSize
} else {
    Write-Host "[-] No Shadow Copy deletion events found." -ForegroundColor Green
}

Write-Host "[+] Enumerating Scheduled Tasks created/modified in the last 7 days..." -ForegroundColor Yellow
$Tasks = Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)}
if ($Tasks) {
    $Tasks | Select-Object TaskName, TaskPath, Date, Author | Format-Table -AutoSize
    Write-Host "[!] WARNING: Review these tasks immediately." -ForegroundColor Red
} else {
    Write-Host "[-] No suspicious recent scheduled tasks found." -ForegroundColor Green
}

Write-Host "[+] Checking for common ransomware extensions (if encryption occurred)..." -ForegroundColor Yellow
Get-ChildItem -Path C:\ -Recurse -Include *.lockbit5, *.abcd, *.encrypted -ErrorAction SilentlyContinue | Select-Object FullName, CreationTime | Format-Table -AutoSize


---

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption):

  1. VPN Logs: Scrutinize VPN logs for successful authentication attempts followed immediately by file server access patterns typical of CVE-2026-50751 exploitation.
  2. Service Accounts: Monitor for service accounts (e.g., sqlsvc, backupadmin) logging in interactively or from unusual endpoints.
  3. PowerShell: Alert on any PowerShell instances spawned by svchost.exe or services.exe.

Critical Assets for Exfiltration: LOCKBIT5 historically prioritizes:

  • HR databases (SSN/Tax info)
  • R&D / Intellectual Property (CAD files, formulas)
  • Financial backups (QuickBooks, SAP exports)
  • Legal contracts

Containment Actions (Urgency Order):

  1. Disconnect: Isolate compromised VLANs from the core network.
  2. Disable: Suspend domain accounts for the initial access user immediately.
  3. Reset: Force password resets for all privileged accounts (ensure MFA is enforced).
  4. Block: Block outbound C2 IPs associated with LockBit affiliates at the firewall.

Hardening Recommendations

Immediate (24 Hours):

  • Patch CVE-2026-50751 & CVE-2026-20131: Apply the Check Point and Cisco FMC patches immediately. These are the primary ingress vectors in this campaign.
  • Block RDP: Disable internet-facing RDP (TCP 3389). Require VPN for all remote access.
  • MFA Enforcement: Ensure all VPN, Webmail, and Remote Desktop services have enforced FIDO2 or App-based MFA.

Short-Term (2 Weeks):

  • Network Segmentation: Isolate Critical Infrastructure (Backup servers, Domain Controllers) from user workstations.
  • EDR Rollout: Ensure 100% coverage of EDR on all servers and endpoints; configure behavioral blocks for PsExec and WMI lateral movement.
  • Zero Trust Architecture: Implement strict micro-segmentation to prevent east-west traffic in the event of a perimeter breach.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-ganglockbit5ransomwaremanufacturinghealthcarecve-2026-50751initial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action