Aliases & Evolution: LockBit5 (also referred to as LockBit 5.0) represents the latest evolution of the once-dominant LockBit ransomware-as-a-service (RaaS) operation. Following "Operation Cronos," the group has rebranded and decentralized, moving to a more resilient affiliate model to avoid law enforcement disruption.
Operational Model: Primarily RaaS, though recent intelligence suggests a tighter knit "core" group handling high-value targets. They maintain a strict leak site (DDoS guarded) to coerce victims via double extortion tactics (data theft + encryption).
Ransom Demands: Demands vary significantly based on victim revenue, typically ranging from $500,000 to $10 million USD. They are known to negotiate aggressively if a victim proves they cannot pay.
Initial Access & TTPs: LockBit5 affiliates aggressively exploit exposed perimeter vulnerabilities. Historically reliant on phishing and stolen credentials (RDP), the current campaign shows a pivot toward exploiting critical infrastructure CVEs (Check Point, Cisco, Exchange). Average dwell time has decreased to approximately 3–5 days from initial access to encryption, indicating automation or highly skilled operators.
Current Campaign Analysis
Sector Targeting: The victim list posted between 2026-06-17 and 2026-06-19 indicates a diversified spray-and-pray approach with specific emphasis on critical supply chain sectors:
- Manufacturing (20%): veelectronics.com, union-chemical.co.th, parampackaging.com. Targeting of manufacturing aligns with the high likelihood of payment due to operational downtime costs.
- Healthcare (20%): teleton.org.hn, sanatoriodelta.com, primelinkbio.com. A continued, ruthless targeting of healthcare providers.
- Education/Public Sector (13%): utb.edu.vn, saude.mt.gov.br.
Geographic Concentration: The campaign is globally dispersed, but with specific hotspots:
- Southeast Asia: High activity in Vietnam (VN), Thailand (TH), and Taiwan (TW).
- Americas: Significant victims in Brazil (BR), Honduras (HN), Colombia (CO), and the US.
Victim Profile: Targets range from mid-sized enterprises (e.g., regional chemical suppliers, local hospitals) to government entities. Revenue estimates suggest a "sweet spot" of $50M – $500M annual revenue—large enough to pay, but often lacking mature security postures compared to Fortune 500s.
Exploitation & CVE Correlation:
We assess with high confidence that the recent victims, particularly sra.nl (Business Services) and sparkinter.com (Technology), were compromised using the recently added CISA KEV vulnerabilities:
- CVE-2026-50751 (Check Point Security Gateway): This improper authentication vulnerability allows attackers to bypass VPN security. Given the geographic spread of victims, external perimeter exposure via VPN is the most likely initial access vector for this cluster.
- CVE-2024-1708 (ConnectWise ScreenConnect): A classic ransomware entry point still in use. The quick turnaround of victims suggests automated exploitation of remote management tools.
- CVE-2023-21529 (Microsoft Exchange): Still prevalent in the wild for accessing email servers to stage phishing or harvest credentials.
Detection Engineering
Sigma Rules
The following rules target the specific TTPs observed in the LockBit5 campaign, focusing on the CVEs listed in the KEV catalog and common lateral movement patterns.
---
title: Potential Check Point VPN Gateway Exploitation Attempt
description: Detects potential exploitation of CVE-2026-50751 involving improper authentication in IKEv1 key exchange or anomalies in VPN logs indicative of bypass.
author: Security Arsenal Research
date: 2026/06/21
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
category: firewall
detection:
selection:
action|contains: 'deny'
destination_port: 500
protocol: 'udp'
src_ip|startswith:
- '10.' # Internal IP often spoofed or used in relay
condition: selection
falsepositives:
- Legitimate misconfigured VPN clients
level: high
tags:
- cve.2026.50751
- attack.initial_access
- ransomware.lockbit5
---
title: Suspicious ConnectWise ScreenConnect Path Traversal
id: 8c30a0e4-7402-4a6c-9b1a-7e4e5e0c5c1a
description: Detects path traversal strings commonly associated with CVE-2024-1708 exploitation in ScreenConnect web logs.
author: Security Arsenal Research
date: 2026/06/21
status: stable
logsource:
category: web
product: connectwise
detection:
selection_uri:
cs-uri-query|contains:
- '../'
- '..%2f'
- '%2e%2e'
selection_ext:
cs-uri-query|contains:
- '.aspx'
- '.ashx'
condition: selection_uri and selection_ext
falsepositives:
- Unknown
level: critical
tags:
- cve.2024.1708
- attack.initial_access
- attack.t1190
- ransomware.lockbit5
---
title: LockBit5 Lateral Movement via PsExec and WMI
description: Detects typical LockBit5 behavior of using PsExec or WMI for lateral movement to spread ransomware binaries.
author: Security Arsenal Research
date: 2026/06/21
logsource:
category: process_creation
product: windows
detection:
selection_psexec:
ParentImage|endswith: '\psexec.exe'
CommandLine|contains: \
- '-accepteula'
- '\\'
selection_wmi:
ParentImage|endswith: '\wmiprvse.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\rundll32.exe'
condition: 1 of selection*
falsepositives:
- Administrative IT tasks
level: high
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.t1047
- ransomware.lockbit5
KQL (Microsoft Sentinel)
Hunt Objective: Identify potential data staging and lateral movement indicative of LockBit5 preparation for encryption.
let TimeFrame = 1d;
// Hunt for large volumes of data copied to staging locations or unusual access patterns
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ ('powershell.exe', 'cmd.exe', 'robocopy.exe', 'rar.exe', '7z.exe')
| where ProcessCommandLine has any ('System32', 'SysWOW64', 'cmd /c', 'copy ')
| summarize count(), make_set(ProcessCommandLine) by DeviceName, AccountName, FileName
| where count_ > 5 // Threshold for aggressive automation
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort in (445, 135, 139, 3389) // Common SMB/RDP ports used for lateral spread
| summarize make_set(RemoteIP) by DeviceName
) on DeviceName
PowerShell - Rapid Response Script
Purpose: Check for persistence mechanisms (Scheduled Tasks) often deployed by LockBit5 and query the status of Volume Shadow Copies (VSS).
# LockBit5 Rapid Response Indicator Check
# Requires Administrator Privileges
Write-Host "[+] Checking for Recently Created Scheduled Tasks (Last 7 Days)..." -ForegroundColor Cyan
$dateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {$_.Date -gt $dateCutoff} | ForEach-Object {
$taskInfo = Export-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath
if ($taskInfo -match "powershell" -or $taskInfo -match "cmd" -or $taskInfo -match "http") {
Write-Host "[!] Suspicious Task Found: $($_.TaskName)" -ForegroundColor Red
Write-Host $taskInfo -ForegroundColor DarkGray
}
}
Write-Host "[+] Checking Volume Shadow Copy Status..." -ForegroundColor Cyan
try {
$vss = Get-WmiObject -Class Win32_ShadowCopy -ErrorAction Stop
if ($vss.Count -eq 0) {
Write-Host "[CRITICAL] No Volume Shadow Copies found. Possible deletion event." -ForegroundColor Red
} else {
Write-Host "[INFO] $($vss.Count) Shadow Copies exist." -ForegroundColor Green
}
} catch {
Write-Host "[ERROR] Could not query VSS." -ForegroundColor Yellow
}
Write-Host "[+] Checking for common Ransomware Extensions in User Profile..." -ForegroundColor Cyan
$paths = @("$env:USERPROFILE\Documents", "$env:USERPROFILE\Desktop", "C:\")
$extensions = @(".lockbit", ".encrypted", ".hl0k2j", ".abcd")
foreach ($path in $paths) {
if (Test-Path $path) {
Get-ChildItem -Path $path -Recurse -Include $extensions -ErrorAction SilentlyContinue | Select-Object -First 5 FullName | ForEach-Object {
Write-Host "[!] ENCRYPTED FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
}
}
---
# Incident Response Priorities
**T-Minus Detection Checklist (Pre-Encryption):**
1. **Perimeter Log Audit:** Immediate review of Check Point and Cisco firewall logs for indicators of CVE-2026-50751 or CVE-2026-20131 exploitation (unsuccessful IKEv1 auth attempts, anomalous admin logins).
2. **Remote Desktop Hygiene:** Scan for unauthorized RDP sessions. LockBit5 heavily relies on RDP for manual hands-on-keyboard movement.
3. **Process Anomalies:** Hunt for `powershell.exe` spawning from `svchost.exe` or unexpected parent processes, a hallmark of webshell exploitation.
**Critical Assets at Risk:**
* **Active Directory:** Domain Controllers are primary targets for credential dumping (Mimikatz) to facilitate lateral movement.
* **Backups:** LockBit5 specifically seeks out and deletes or encrypts Volume Shadow Copies (VSS) and network-based backups (NAS/SAN).
* **Intellectual Property:** Design documents in Manufacturing and patient records in Healthcare are prioritized for exfiltration.
**Containment Actions:**
1. **Isolate:** Segment the VLAN of any suspected victim machine immediately.
2. **Disable Accounts:** Disable service accounts associated with Check Point/Cisco management if compromise is suspected.
3. **Power Down:** If encryption is actively observed (file extensions changing), power off the machine physically to prevent spread to network shares.
---
# Hardening Recommendations
**Immediate (24 Hours):**
* **Patch Critical Perimeter:** Apply the patch for **CVE-2026-50751 (Check Point)** and **CVE-2026-20131 (Cisco FMC)** immediately. These are active gates for this campaign.
* **Block RDP from Internet:** Enforce a strict VPN requirement (MFA enforced) for all remote access; block TCP 3389 from the internet.
* **MFA for Everything:** Ensure MFA is enabled for VPNs, email, and especially firewall management interfaces.
**Short-term (2 Weeks):**
* **Network Segmentation:** Implement Zero Trust principles. Separate critical backup infrastructure from the main corporate LAN.
* **EDR Deployment:** Ensure EDR agents are deployed on all perimeter servers and Domain Controllers with behavioral monitoring for ransomware.
---
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.