Back to Intelligence

LOCKBIT5 Ransomware: Surge in Healthcare & Manufacturing Targeting via Cisco & Fortinet Exploits

SA
Security Arsenal Team
April 16, 2026
7 min read

Aliases & Evolution: LOCKBIT5 represents the latest iteration of the prolific LockBit operation (following LockBit 2.0, 3.0, and Green/Black variants). Despite law enforcement disruptions, the core development team has resurfaced with optimized encryption algorithms and updated leak site infrastructure.

Operational Model: Ransomware-as-a-Service (RaaS). LOCKBIT5 operates a strict affiliate program, providing the encryptor and infrastructure while splitting ransom profits. The group is known for high professionalism in their victim negotiations interface but extreme aggression in encryption tactics.

Typical Ransom Demands: Variable, generally ranging from $500,000 to over $10 million, strictly calculated based on the victim's annual revenue and the sensitivity of exfiltrated data.

Initial Access Vectors: Historically diverse, but recent intelligence confirms a heavy reliance on exploiting edge devices. The group frequently leverages Valid Credentials (obtained via Initial Access Brokers), Phishing (IcedID/QakBot loaders), and Zero-Day/N-Day Exploits on VPNs and Firewall appliances.

Double Extortion: LOCKBIT5 strictly adheres to the double-extortion model. They exfiltrate sensitive data prior to encryption and threaten to release it on their "Wall of Shame" if payment is not received. They have recently begun threatening DDoS attacks to pressure non-compliant victims.

Average Dwell Time: Decreasing. Analysis of recent victims suggests a dwell time of 3 to 7 days from initial breach to encryption, indicating a high level of automation and speed-to-impact in their operations.

Current Campaign Analysis

Campaign Dates: 2026-03-01 to 2026-04-16 Recent Victim Count: 27 confirmed postings on the dark web leak site.

Sector Targeting

The current campaign shows a distinct pivot towards Healthcare and Manufacturing.

  • Healthcare (30%): Targets include diagnostic labs (e.g., decaturdiagnosticlab.net, nucleodediagnostico.mx) and pharma (vitexpharma.com). This sector is targeted for high sensitivity of PII and willingness to pay to restore operations.
  • Manufacturing (25%): Industrial targets across Spain, Romania, Portugal, and Hong Kong (e.g., cegasa.com, aplast.ro, shunhinggroup.com).
  • Public Sector & Finance: Notable breaches of comunidadandina.org (Public Sector, Peru) and fondonorma.org.ve (Financial Services, Venezuela).

Geographic Concentration

While global, the current spike is concentrated in the Americas (US, MX, DO, VE, PE) and Southern Europe (ES, IT, FR). This suggests affiliates are specifically targeting regions with high industrial output and potentially lagging patch management cycles in edge infrastructure.

Exploited Vulnerabilities & Initial Access

Intelligence correlates this surge with the active exploitation of specific CISA Known Exploited Vulnerabilities (KEVs):

  1. CVE-2026-20131 (Cisco Secure Firewall FMC): A deserialization vulnerability allowing unauthenticated RCE. This is likely the primary vector for targets like wibeats.it (Technology) and fondonorma.org.ve.
  2. CVE-2026-23760 (SmarterTools SmarterMail): Authentication bypass. frequently used to gain initial access to mail servers before pivoting internally.
  3. CVE-2019-6693 (Fortinet FortiOS): Hard-coded credentials vulnerability. Despite being older, this remains a top vector for brute-forcing VPN access in manufacturing sectors.

Escalation Patterns

Victims posted on 2026-04-13 and 2026-04-03 indicate "burst" posting patterns. The affiliates appear to be operating in clusters, compromising multiple victims in a single geographic region simultaneously before moving to the next.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Cisco FMC Deserialization Exploit CVE-2026-20131
id: 8a4f2b19-8c3d-4f9a-1e2b-3c4d5e6f7g8h
description: Detects potential exploitation of Cisco Secure Firewall Management Center deserialization vulnerability via suspicious web requests or process anomalies.
status: experimental
date: 2026/04/16
author: Security Arsenal Intel
logsource:
  product: firewall
  service: cisco
detection:
  selection:
    cisco_event_id|startswith: '302015' # Built-in connection tear-down, often correlated with exploit attempts
    request|contains:
      '/api/fmc_config/v1/domain/'
      '/src/'
  condition: selection
falsepositives:
  - Legitimate administrative API usage
level: critical
tags:
  - cve.cve-2026-20131
  - attack.initial_access
  - attack.t1190
---
title: SmarterMail Authentication Bypass Attempt CVE-2026-23760
id: b5c3d2e1-4f5a-6b7c-8d9e-0f1a2b3c4d5e
description: Detects authentication bypass attempts on SmarterMail servers using alternate paths or channels.
status: experimental
date: 2026/04/16
author: Security Arsenal Intel
logsource:
  product: web server
  service: iis
detection:
  selection_uri:
    cs-uri-query|contains:
      - '/LiveApp/'
      - '/Services/Mail'
  selection_method:
    cs-method: 'POST'
  selection_status:
    sc-status: 200
  condition: all of selection*
falsepositives:
  - Unknown, requires tuning based on legitimate SmarterMail usage
level: high
tags:
  - cve.cve-2026-23760
  - attack.initial_access
  - attack.t1190
---
title: LOCKBIT5 Typical Lateral Movement via PsExec
id: c1d2e3f4-a5b6-c7d8-e9f0-a1b2c3d4e5f6
description: Detects lateral movement activity often associated with LockBit affiliates using PsExec or similar administrative tools.
status: experimental
date: 2026/04/16
author: Security Arsenal Intel
logsource:
  product: windows
  category: process_creation
detection:
  selection_psexec:
    Image|endswith:
      - '\psexec.exe'
      - '\psexec64.exe'
    CommandLine|contains:
      - 'accepteula'
      - '-s'
  selection_alternative:
    ParentImage|endswith: '\services.exe'
    Image|contains: '\\'
  condition: 1 of selection*
falsepositives:
  - Legitimate administrative activity
level: high
tags:
  - attack.lateral_movement
  - attack.t1021.002

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and data staging associated with LockBit 5
// Look for common tools: PsExec, WMI, SharpHound, Rclone
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where ProcessCommandLine has_any("psexec", "wmic", " SharpHound", "rclone", " robocopy ") 
   or InitiatingProcessFileName has_any("powershell.exe", "cmd.exe", "pwsh.exe")
| where ProcessCommandLine contains "-enc" // Obfuscated PowerShell
| extend HostName = DeviceName, Account = InitiatingProcessAccountName
| project Timestamp, HostName, Account, FolderPath, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Rapid Response PowerShell Script

PowerShell
<#
.SYNOPSIS
    LockBit5 Indicators of Compromise (IoC) Hunter
.DESCRIPTION
    Checks for signs of LockBit5 activity, suspicious scheduled tasks, and RDP anomalies.
#>

Write-Host "[+] Starting LockBit5 IoC Scan..." -ForegroundColor Cyan

# 1. Check for recently created Scheduled Tasks (common persistence)
$DateCutoff = (Get-Date).AddDays(-1)
Write-Host "[+] Checking for Scheduled Tasks created in the last 24 hours..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object { $_.Date -gt $DateCutoff } | Select-Object TaskName, Date, Author, Action

# 2. Check for Shadow Copy manipulation attempts (Defense Evasion)
Write-Host "[+] Checking System Event Log for VSSAdmin deletion attempts..." -ForegroundColor Yellow
$VSSEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ID=1; StartTime=$DateCutoff} -ErrorAction SilentlyContinue
if ($VSSEvents) {
    $VSSEvents | Where-Object { $_.Message -match "vssadmin" -and $_.Message -match "delete" } | Select-Object TimeCreated, Id, Message
} else {
    Write-Host "No recent VSSAdmin deletion events found." -ForegroundColor Green
}

# 3. Check for RDP Brute Force signs
Write-Host "[+] Checking for high frequency RDP failures (Event ID 4625)..." -ForegroundColor Yellow
$RDPFailures = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625; StartTime=$DateCutoff} -ErrorAction SilentlyContinue
if ($RDPFailures) {
    $FailedIPs = $RDPFailures | Group-Object -Property {$_.Properties[19].Value} | Where-Object { $_.Count -gt 50 }
    if ($FailedIPs) {
        Write-Host "WARNING: Brute force detected from IPs:" -ForegroundColor Red
        $FailedIPs | Select-Object Name, Count
    }
}

Write-Host "[+] Scan Complete." -ForegroundColor Cyan


---

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption)

  • Network Telemetry: Immediate review of VPN logs for successful logins from anomalous geolocations (specifically check for CVE-2019-6693 exploitation patterns on Fortinet devices).
  • Active Directory: Alert on "DCSync" (Directory Replication Get All) rights assignments or modifications to msDS-AllowedToActOnBehalfOfOtherIdentity.
  • Endpoint: Watch for processes spawned by explorer.exe that immediately spawn cmd.exe or powershell.exe with encoded arguments (common LockBit 5 payload execution).

Critical Assets for Exfiltration

LOCKBIT5 historically prioritizes:

  1. Patient Records / PHI: (Targeting decaturdiagnosticlab.net, vitexpharma.com).
  2. Intellectual Property / CAD Designs: (Targeting cegasa.com, shunhinggroup.com).
  3. Financial Databases: (Targeting fondonorma.org.ve).

Containment Actions

  1. Isolate: Immediately disconnect assets with detected Cisco FMC or Fortinet VPN anomalies.
  2. Revoke Credentials: Force reset of credentials for all service accounts detected in the last 7 days, especially those with privileged access.
  3. Block Network: Segregate the backup VLAN from the production network immediately to prevent backup encryption.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical CVEs: Apply patches for CVE-2026-20131 (Cisco FMC) and CVE-2026-23760 (SmarterMail). If patching is not possible, disable the vulnerable interfaces immediately (e.g., block external access to /api/fmc_config or SmarterMail web interfaces from untrusted IPs).
  • Disable RDP: Ensure Remote Desktop Protocol (RDP) is not exposed to the internet. Enforce MFA for all VPN connections.
  • Audit Firewall Rules: Review inbound firewall rules allowing management traffic (HTTPS/SSH) from broad IP ranges. Restrict to specific administrative subnets.

Short-term (2 Weeks)

  • Network Segmentation: Implement strict segmentation for Industrial Control Systems (ICS) in Manufacturing and Medical IoT devices in Healthcare to prevent lateral movement from the IT network.
  • EDR Deployment: Ensure 100% coverage of EDR agents on all critical servers, specifically those handling PHI and IP.
  • Zero Trust Access: Evaluate moving VPN access to a Zero Trust Network Access (ZTNA) model to remove the implicit trust granted by traditional VPN tunnels.

Related Resources

darkwebransomware-ganglockbit5ransomwarehealthcaremanufacturingcve-2026-20131initial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action