Back to Intelligence

LOCKBIT5 Ransomware: Global Surge Targeting Healthcare & Manufacturing — Detection Engineering Brief

SA
Security Arsenal Team
June 21, 2026
6 min read

Aliases & Evolution: LOCKBIT5 represents the latest evolution of the LockBit ransomware-as-a-service (RaaS) operation. Following disruptions by law enforcement to previous iterations (LockBit 3.0 and 4.0), LockBit5 has resurfaced with improved encryption algorithms and updated leak site infrastructure. Historically, they have operated under a strict affiliate model, splitting profits between core developers and network access brokers.

Operational Model:

  • Model: RaaS (Ransomware-as-a-Service).
  • Ransom Demands: Highly variable, typically ranging from $500,000 to $10 million USD depending on victim revenue.
  • Tactics: Aggressive double extortion. The group exfiltrates sensitive data and threatens to release it on their .onion site if the ransom is not paid, in addition to encrypting files.
  • Initial Access: Predominantly exploits vulnerabilities in external-facing appliances (VPNs, Firewalls) and remote management tools (ScreenConnect). Phishing and valid credential abuse (RDP brute-force) remain secondary vectors.
  • Dwell Time: Known for "smash-and-grab" tactics; average dwell time has decreased significantly in recent campaigns, often under 48 hours from initial access to encryption.

Current Campaign Analysis

Targeted Sectors: Based on the 15 victims posted between 2026-06-17 and 2026-06-19, LOCKBIT5 is exhibiting a distinct preference for critical infrastructure and economically vital sectors:

  • Manufacturing (20%): 3 victims (Venezuela, Thailand, Turkey).
  • Healthcare (20%): 3 victims (Honduras, Colombia, USA).
  • Business Services (13%): 2 victims (Netherlands, Thailand).
  • Other: Public Sector, Education, Technology, and Hospitality.

Geographic Concentration: The campaign is globally dispersed with no single regional dominance. Recent victims span Southeast Asia (TH, VN, TW), Europe (NL, AT), Americas (US, BR, VE, CO, HN, PR), and Mauritius. This suggests a "spray and pray" approach by affiliates leveraging automated vulnerability scanners rather than geographically targeted spear-phishing.

Victim Profile: Targets range from mid-sized entities to large government bodies (saude.mt.gov.br). The inclusion of education (utb.edu.vn) and public sector indicates the affiliates are indiscriminately exploiting vulnerable internet-facing infrastructure rather than profiling victim revenue.

Posting Frequency & CVE Correlation: The cluster of 14 victims published on 2026-06-17 (with one straggler on the 19th) suggests a coordinated automated deployment by an active affiliate.

  • Connection to CVEs: The campaign strongly correlates with the exploitation of CVE-2026-50751 (Check Point Security Gateway) and CVE-2024-1708 (ConnectWise ScreenConnect). Given the manufacturing and public sector targets, it is highly likely that initial access was gained via unpatched VPN gateways or remote support software used by IT managed service providers (MSPs).

Detection Engineering

The following detection logic targets LOCKBIT5 affiliates exploiting perimeter vulnerabilities and moving laterally using standard tooling.

YAML
---
title: Potential ConnectWise ScreenConnect Authentication Bypass
description: Detects potential exploitation of CVE-2024-1708 involving suspicious path traversal or setup files on ScreenConnect web servers.
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/21
status: experimental
logsource:
    category: webserver
product: nginx
    - apache
detection:
    selection:
        c-uri|contains:
            - '/Setup.aspx'
            - '/Bin/ScreenConnect.Service.exe'
            - 'Legacy\\..\\..'
    condition: selection
falsepositives:
    - Legitimate administrative access to Setup pages
level: high
tags:
    - attack.initial_access
    - cve.2024.1708
    - ransomware.lockbit
---
title: Suspicious PsExec Service Installation Lateral Movement
description: Detects the usage of PsExec or similar tools to install services on remote endpoints, a common LOCKBIT5 technique for ransomware deployment.
references:
    - https://attack.mitre.org/techniques/T1021/002/
author: Security Arsenal Research
date: 2026/06/21
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\psexec.exe'
            - '\psexec64.exe'
    selection_cli:
        CommandLine|contains:
            - 'accepteula'
            - '\\'
    condition: 1 of selection*
falsepositives:
    - System administration tasks
level: high
tags:
    - attack.lateral_movement
    - attack.execution
    - ransomware.lockbit
---
title: Large Volume Data Staging via RClone
description: Detects the use of RClone or similar tools for data exfiltration, often used prior to encryption in double-extortion plots.
author: Security Arsenal Research
date: 2026/06/21
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\rclone.exe'
        CommandLine|contains:
            - 'copy'
            - 'sync'
            - 'config'
    condition: selection
falsepositives:
    - Legitimate backup operations using RClone
level: medium
tags:
    - attack.exfiltration
    - ransomware.lockbit


**KQL (Microsoft Sentinel) - Lateral Movement Hunt**

kql
// Hunt for LOCKBIT5 lateral movement indicators
// Look for service creation events (EventID 7045) using suspicious names or binaries
SecurityEvent
| where EventID == 7045
| where ServiceFileName contains @"%COMSPEC%" 
   or ServiceFileName contains "powershell.exe -enc"
   or ServiceFileName contains "cmd.exe /c"
| project TimeGenerated, Computer, ServiceName, ServiceFileName, Account
| extend Tail = iff(ServiceName contains "" or ServiceName contains "Updater", "Suspicious Generic Name", "Specific Name")
| where Tail == "Suspicious Generic Name"
| sort by TimeGenerated desc


**PowerShell - Rapid Response Hardening Script**

powershell
# LOCKBIT5 Rapid Response: Check for VSS Shadow Copy Manipulation
# Author: Security Arsenal
# Purpose: Detect if Volume Shadow Copies are being deleted (common pre-encryption)

$Events = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=12343} -ErrorAction SilentlyContinue -MaxEvents 50

if ($Events) {
    Write-Host "[WARNING] Potential VSS Deletion Activity Detected:" -ForegroundColor Red
    $Events | Select-Object TimeCreated, Message | Format-Table -AutoSize
} else {
    Write-Host "[INFO] No recent VSS deletion events found." -ForegroundColor Green
}

# Check for recently created scheduled tasks (Persistence)
$RecentTasks = Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-1)}
if ($RecentTasks) {
    Write-Host "[WARNING] Scheduled tasks created in the last 24 hours:" -ForegroundColor Yellow
    $RecentTasks | Select-Object TaskName, Date, Author
}


---

# Incident Response Priorities

**T-Minus Detection Checklist (Pre-Encryption):**
1. **VPN Gateway Logs:** Review logs for successful VPN connections immediately followed by internal lateral movement (SMB/RPC).
2. **Web Shells:** Scan for recently modified files in web directories (ScreenConnect, Check Point management interfaces) matching hashes of known webshells.
3. **Service Accounts:** Monitor for unusual service account usage, specifically accounts used to run ConnectWise or VPN services spawning interactive shells.

**Critical Assets for Exfiltration:**
LOCKBIT5 historically prioritizes:
- PII/PHI (Patient Health Information).
- CAD/CAM designs and Intellectual Property (Manufacturing).
- Financial databases and tax documents.

**Containment Actions (Order by Urgency):**
1. **Isolate:** Disconnect compromised VPN gateways and remote access tools from the network immediately.
2. **Disable:** Disable domain accounts used by the affected IT administrators.
3. **Block:** Block outbound traffic to known TOR nodes and file-sharing sites (Mega, RClone endpoints).

---

# Hardening Recommendations

**Immediate (24 Hours):**
- **Patch:** Apply the patch for **CVE-2024-1708 (ConnectWise ScreenConnect)** immediately. If patching is not possible, disable the ScreenConnect web interface or restrict access via IP allow-listing.
- **Patch:** Review and patch **CVE-2026-50751 (Check Point Security Gateway)**. Disable IKEv1 if not required.
- **MFA Enforcement:** Ensure all VPN and remote access portals have enforced MFA (not just SMS).

**Short-Term (2 Weeks):**
- **Network Segmentation:** Ensure critical backup servers and domain controllers are not reachable from the DMZ or VPN segments.
- **EDR Deployment:** Ensure EDR sensors are active on all internet-facing jump servers and management workstations.
- **Access Review:** Revoke local administrator rights for standard users and audit service account permissions.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-ganglockbit5ransomwarehealthcaremanufacturingcve-2024-1708initial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action