LOCKBIT5 Resurgence: 27 New Victims Posted — Cisco & Fortinet Exploits Fueling Cross-Industry Attacks

Intelligence Briefing Date: 2026-04-16
Actor: LOCKBIT5

Threat Actor Profile — LOCKBIT5

LOCKBIT5 represents the latest evolution of the notorious LockBit RaaS operation. Despite law enforcement disruptions, the syndicate has re-emerged with improved encryption speeds and evasion techniques. Operating on a strict RaaS model, they recruit affiliates with specialized access to corporate networks.

• Model: Ransomware-as-a-Service (RaaS) with affiliate-driven initial access.
• Ransom Demands: Typically range from $500k to $10M USD, tailored to victim revenue.
• Initial Access: Heavily reliant on external remote services (VPN, Firewalls) and unpatched edge appliances. The resurgence of CVE-2019-6693 (Fortinet) alongside 0-day/n-day exploits (CVE-2026-20131) suggests affiliates are purchasing access from initial access brokers (IABs) or exploiting known gaps in perimeter hygiene.
• Double Extortion: Aggressive data theft prior to encryption. Victims are typically given 48-72 hours to negotiate before data is leaked.
• Dwell Time: Decreasing. Current observations suggest encryption triggers within 3-5 days of initial foothold due to automated tooling.

Current Campaign Analysis

Sector Targeting: The recent victim list indicates a diversified but focused attack surface:

• Healthcare (High Priority): 3 confirmed victims (Decatur Diagnostic Lab - US, Nucleo de Diagnostico - MX, Vitex Pharma - ?). This aligns with LOCKBIT5's strategy to target time-sensitive, high-availability sectors where pressure to pay is highest.
• Manufacturing: 4 victims (Cegasa - ES, Shunhing - HK, Aplast - RO, Vitropor - PT). Indicates targeting of supply chain entities and industrial output.
• Public Sector & Finance: Fondonorma (VE, Financial Services) and Comunidad Andina (PE, Public Sector).

Geographic Concentration: While global, there is a distinct cluster in the Americas (US, Dominican Republic, Mexico, Venezuela, Peru) and Europe (Italy, Spain, Romania, Portugal). The targeting of marti.do (Dominican Republic) and nucleodediagnostico.mx suggests a dedicated campaign against Caribbean/Latin American infrastructure.

CVE Utilization & Initial Access Vectors: The active exploitation of specific CISA KEVs provides clear insight into the breach vectors:

1. CVE-2026-20131 (Cisco Secure Firewall FMC): Deserialization of untrusted data allows RCE. Affiliates are likely bypassing perimeter defenses by compromising the management consoles themselves.
2. CVE-2026-23760 (SmarterTools SmarterMail): Authentication bypass. This provides direct access to internal email servers, enabling phishing from trusted internal accounts or credential harvesting.
3. CVE-2019-6693 (Fortinet FortiOS): The persistent use of this older hardcoded credential vulnerability suggests a massive scan for unpatched VPN appliances.

Victim Profile: Targets range from mid-market (e.g., wibeats.it, pegasussrl.com) to large regional entities (e.g., comunidadandina.org). Revenue estimates for the manufacturing victims suggest >$50M annual revenue, fitting LOCKBIT5's "sweet spot" for ransoms.

Detection Engineering

Sigma Rules

---
title: Potential Cisco FMC Deserialization Exploit CVE-2026-20131
id: 5d2f4a0b-1b3c-4d5e-8f9a-1b2c3d4e5f6a
description: Detects potential exploitation of Cisco FMC deserialization vulnerability via suspicious child processes of Java/Tomcat services.
status: experimental
author: Security Arsenal Intel
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
date: 2026/04/16
tags:
    - attack.initial_access
    - attack.execution
    - cve.2026.20131
    - ransomware.lockbit
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\\java.exe'
            - '\\javaw.exe'
            - '\	omcat.exe'
        Image|endswith:
            - '\\cmd.exe'
            - '\\powershell.exe'
            - '\\whoami.exe'
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: critical

---
title: Suspicious SmarterMail Authentication Bypass Activity
id: 6e3g5b1c-2c4d-5e6f-9a0b-2c3d4e5f6a7b
description: Detects potential authentication bypass or unusual access patterns on SmarterMail servers often associated with CVE-2026-23760.
status: experimental
author: Security Arsenal Intel
date: 2026/04/16
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2026.23760
    - ransomware.lockbit
logsource:
    product: webserver
    service: iis,nginx,apache
detection:
    selection_uri:
        Uri|contains:
            - '/Mail/Default.aspx'
            - '/Services/Service.asmx'
    selection_method:
        Method: 'POST'
    filter:
        UserAgent|contains:
            - 'Mozilla'
    condition: selection_uri and selection_method and not filter
level: high

---
title: Ransomware Data Staging via Archiving Tools
id: 7f4h6c2d-3d5e-6f7a-0b1c-3d4e5f6a7b8c
description: Detects mass archiving of files indicative of data exfiltration staging by LockBit affiliates using 7-Zip or WinRAR.
status: experimental
author: Security Arsenal Intel
date: 2026/04/16
tags:
    - attack.exfiltration
    - attack.collection
    - ransomware.lockbit
logsource:
    category: process_creation
    product: windows
detection:
    selection_tool:
        Image|endswith:
            - '\\7z.exe'
            - '\
ar.exe'
            - '\\winrar.exe'
    selection_flags:
        CommandLine|contains:
            - '-a'
            - 'm0'
            - 'l0'
    condition: selection_tool and selection_flags
falsepositives:
    - System backups
    - User file compression
level: high

KQL (Microsoft Sentinel)

// Hunt for LockBit lateral movement and pre-encryption staging
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Common LockBin/LockBit tools and patterns
| where FileName in~ ('powershell.exe', 'cmd.exe', 'powershell_ise.exe', 'psexec.exe', 'psexec64.exe', 'wmic.exe')
| where ProcessCommandLine has 'Add-PSSnapin' or ProcessCommandLine has 'Invoke-Expression' or ProcessCommandLine has 'DownloadString'
// Look for RDP/Shadow copy manipulation
or ProcessCommandLine has 'vssadmin' or ProcessCommandLine has 'bcdedit'
| summarize Count = count(), DistinctProcesses = dcount(ProcessCommandLine) by DeviceName, AccountName, FileName
| where Count > 5
| project DeviceName, AccountName, FileName, Count, DistinctProcesses
| order by Count desc

PowerShell Rapid Response

# Check for recent RDP connections and suspicious Shadow Copy activity
Write-Host "Checking for recent RDP logons (last 24h)..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
Where-Object {$_.Message -match 'Logon Type:\s+10'} |
Select-Object TimeCreated, @{n='User';e={$_.Properties[5].Value}}, @{n='IP';e={$_.Properties[19].Value}} | Format-Table -AutoSize

Write-Host "\
Checking for recent scheduled tasks (last 7d)..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, Date, Author, Action

Write-Host "\
Checking for VSSAdmin deletion attempts..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSSADMIN'; StartTime=(Get-Date).AddDays(-1)} -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message | Format-List

Incident Response Priorities

T-Minus Detection Checklist:

1. Hunt for Web Shells: LockBit affiliates often drop web shells on accessible servers post-exploitation (especially Cisco/SmarterMail). Scan web roots for recently modified .aspx, .jsp, or .php files.
2. Audit VPN/Firewall Logs: Immediate review of Cisco FMC and Fortinet logs for unusual administrative logins or configuration changes correlating to the CVEs listed.
3. Mass File Enumeration: Look for processes (PowerShell/CMD) iterating through file systems rapidly (dir, ls, tree) which indicates data discovery.

Critical Assets for Exfiltration:

• HR Databases (SSNs/Tax IDs)
• Financial Records (Audits, Transaction logs)
• R&D / Intellectual Property (Crucial for Manufacturing victims like Cegasa/Shunhing)
• Patient PHI (Priority for Healthcare victims)

Containment Actions:

1. Disconnect: Isolate affected segments immediately. Do not reboot servers yet (memory forensics needed for encryption keys).
2. Reset Credentials: Force reset for all privileged accounts, especially those used for VPN/Firewall management.
3. Block Outbound: Temporarily block traffic to known file-sharing endpoints (Mega, Dropbox) and non-standard ports at the firewall.

Hardening Recommendations

Immediate (24h):

• Patch Critical CVEs: Apply patches for CVE-2026-20131 (Cisco), CVE-2026-23760 (SmarterMail), and CVE-2019-6693 (Fortinet). If patching is not possible, disable external access to these management interfaces immediately (enforce VPN access to management ports only).
• MFA Enforcement: Ensure all VPN, Email, and Firewall management portals have FIDO2 or hardware-token based MFA enabled.

Short-term (2 weeks):

• Network Segmentation: Move critical backup servers and management consoles to a dedicated management VLAN, strictly separated from the user LAN.
• EDR Rollout: Ensure coverage on all servers, specifically legacy systems running older OS versions often targeted by these exploits.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub