LOCKBIT5 Resurgence: 27 New Victims Posted — Cisco & Fortinet Exploits Fueling Cross-Industry Attacks\n\nIntelligence Briefing Date: 2026-04-16 \nSource: Ransomware.live Dark Web Leak Site Monitoring \nActor: LOCKBIT5\n\n---\n\n## Threat Actor Profile — LOCKBIT5\n\nLOCKBIT5 represents the latest evolution of the notorious LockBit RaaS operation. Despite law enforcement disruptions, the syndicate has re-emerged with improved encryption speeds and evasion techniques. Operating on a strict RaaS model, they recruit affiliates with specialized access to corporate networks.\n\n* Model: Ransomware-as-a-Service (RaaS) with affiliate-driven initial access.\n* Ransom Demands: Typically range from $500k to $10M USD, tailored to victim revenue.\n* Initial Access: Heavily reliant on external remote services (VPN, Firewalls) and unpatched edge appliances. The resurgence of CVE-2019-6693 (Fortinet) alongside 0-day/n-day exploits (CVE-2026-20131) suggests affiliates are purchasing access from initial access brokers (IABs) or exploiting known gaps in perimeter hygiene.\n* Double Extortion: Aggressive data theft prior to encryption. Victims are typically given 48-72 hours to negotiate before data is leaked.\n* Dwell Time: Decreasing. Current observations suggest encryption triggers within 3-5 days of initial foothold due to automated tooling.\n\n---\n\n## Current Campaign Analysis\n\nSector Targeting:\nThe recent victim list indicates a diversified but focused attack surface:\n* Healthcare (High Priority): 3 confirmed victims (Decatur Diagnostic Lab - US, Nucleo de Diagnostico - MX, Vitex Pharma - ?). This aligns with LOCKBIT5's strategy to target time-sensitive, high-availability sectors where pressure to pay is highest.\n* Manufacturing: 4 victims (Cegasa - ES, Shunhing - HK, Aplast - RO, Vitropor - PT). Indicates targeting of supply chain entities and industrial output.\n* Public Sector & Finance: Fondonorma (VE, Financial Services) and Comunidad Andina (PE, Public Sector).\n\nGeographic Concentration:\nWhile global, there is a distinct cluster in the Americas (US, Dominican Republic, Mexico, Venezuela, Peru) and Europe (Italy, Spain, Romania, Portugal). The targeting of marti.do (Dominican Republic) and nucleodediagnostico.mx suggests a dedicated campaign against Caribbean/Latin American infrastructure.\n\nCVE Utilization & Initial Access Vectors:\nThe active exploitation of specific CISA KEVs provides clear insight into the breach vectors:\n1. CVE-2026-20131 (Cisco Secure Firewall FMC): Deserialization of untrusted data allows RCE. Affiliates are likely bypassing perimeter defenses by compromising the management consoles themselves.\n2. CVE-2026-23760 (SmarterTools SmarterMail): Authentication bypass. This provides direct access to internal email servers, enabling phishing from trusted internal accounts or credential harvesting.\n3. CVE-2019-6693 (Fortinet FortiOS): The persistent use of this older hardcoded credential vulnerability suggests a massive scan for unpatched VPN appliances.\n\nVictim Profile:\nTargets range from mid-market (e.g., wibeats.it, pegasussrl.com) to large regional entities (e.g., comunidadandina.org). Revenue estimates for the manufacturing victims suggest >$50M annual revenue, fitting LOCKBIT5's "sweet spot" for ransoms.\n\n---\n\n## Detection Engineering\n\n### Sigma Rules\n\nyaml\n---\ntitle: Potential Cisco FMC Deserialization Exploit CVE-2026-20131\nid: 5d2f4a0b-1b3c-4d5e-8f9a-1b2c3d4e5f6a\ndescription: Detects potential exploitation of Cisco FMC deserialization vulnerability via suspicious child processes of Java/Tomcat services.\nstatus: experimental\nauthor: Security Arsenal Intel\nreferences:\n - https://www.cisa.gov/known-exploited-vulnerabilities-catalog\ndate: 2026/04/16\ntags:\n - attack.initial_access\n - attack.execution\n - cve.2026.20131\n - ransomware.lockbit\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith:\n - '\\java.exe'\n - '\\javaw.exe'\n - '\tomcat.exe'\n Image|endswith:\n - '\\cmd.exe'\n - '\\powershell.exe'\n - '\\whoami.exe'\n condition: selection\nfalsepositives:\n - Legitimate administrative activity\nlevel: critical\n\n---\ntitle: Suspicious SmarterMail Authentication Bypass Activity\nid: 6e3g5b1c-2c4d-5e6f-9a0b-2c3d4e5f6a7b\ndescription: Detects potential authentication bypass or unusual access patterns on SmarterMail servers often associated with CVE-2026-23760.\nstatus: experimental\nauthor: Security Arsenal Intel\ndate: 2026/04/16\ntags:\n - attack.initial_access\n - attack.t1190\n - cve.2026.23760\n - ransomware.lockbit\nlogsource:\n product: webserver\n service: iis,nginx,apache\ndetection:\n selection_uri:\n Uri|contains:\n - '/Mail/Default.aspx'\n - '/Services/Service.asmx'\n selection_method:\n Method: 'POST'\n filter:\n UserAgent|contains:\n - 'Mozilla'\n condition: selection_uri and selection_method and not filter\nlevel: high\n\n---\ntitle: Ransomware Data Staging via Archiving Tools\nid: 7f4h6c2d-3d5e-6f7a-0b1c-3d4e5f6a7b8c\ndescription: Detects mass archiving of files indicative of data exfiltration staging by LockBit affiliates using 7-Zip or WinRAR.\nstatus: experimental\nauthor: Security Arsenal Intel\ndate: 2026/04/16\ntags:\n - attack.exfiltration\n - attack.collection\n - ransomware.lockbit\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_tool:\n Image|endswith:\n - '\\7z.exe'\n - '\rar.exe'\n - '\\winrar.exe'\n selection_flags:\n CommandLine|contains:\n - '-a'\n - 'm0'\n - 'l0'\n condition: selection_tool and selection_flags\nfalsepositives:\n - System backups\n - User file compression\nlevel: high\n\n\n### KQL (Microsoft Sentinel)\n\nkql\n// Hunt for LockBit lateral movement and pre-encryption staging\nlet TimeFrame = 1d;\nDeviceProcessEvents\n| where Timestamp > ago(TimeFrame)\n// Common LockBin/LockBit tools and patterns\n| where FileName in~ ('powershell.exe', 'cmd.exe', 'powershell_ise.exe', 'psexec.exe', 'psexec64.exe', 'wmic.exe')\n| where ProcessCommandLine has 'Add-PSSnapin' or ProcessCommandLine has 'Invoke-Expression' or ProcessCommandLine has 'DownloadString'\n// Look for RDP/Shadow copy manipulation\nor ProcessCommandLine has 'vssadmin' or ProcessCommandLine has 'bcdedit'\n| summarize Count = count(), DistinctProcesses = dcount(ProcessCommandLine) by DeviceName, AccountName, FileName\n| where Count > 5\n| project DeviceName, AccountName, FileName, Count, DistinctProcesses\n| order by Count desc\n\n\n### PowerShell Rapid Response\n\npowershell\n# Check for recent RDP connections and suspicious Shadow Copy activity\nWrite-Host "Checking for recent RDP logons (last 24h)..." -ForegroundColor Yellow\nGet-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |\nWhere-Object {$.Message -match 'Logon Type:\s+10'} |\nSelect-Object TimeCreated, @{n='User';e={$.Properties[5].Value}}, @{n='IP';e={$.Properties[19].Value}} | Format-Table -AutoSize\n\nWrite-Host "\nChecking for recent scheduled tasks (last 7d)..." -ForegroundColor Yellow\nGet-ScheduledTask | Where-Object {$.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, Date, Author, Action\n\nWrite-Host "\nChecking for VSSAdmin deletion attempts..." -ForegroundColor Yellow\nGet-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSSADMIN'; StartTime=(Get-Date).AddDays(-1)} -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message | Format-List\n\n\n---\n\n## Incident Response Priorities\n\nT-Minus Detection Checklist:\n1. Hunt for Web Shells: LockBit affiliates often drop web shells on accessible servers post-exploitation (especially Cisco/SmarterMail). Scan web roots for recently modified .aspx, .jsp, or .php files.\n2. Audit VPN/Firewall Logs: Immediate review of Cisco FMC and Fortinet logs for unusual administrative logins or configuration changes correlating to the CVEs listed.\n3. Mass File Enumeration: Look for processes (PowerShell/CMD) iterating through file systems rapidly (dir, ls, tree) which indicates data discovery.\n\nCritical Assets for Exfiltration:\n* HR Databases (SSNs/Tax IDs)\n* Financial Records (Audits, Transaction logs)\n* R&D / Intellectual Property (Crucial for Manufacturing victims like Cegasa/Shunhing)\n* Patient PHI (Priority for Healthcare victims)\n\nContainment Actions:\n1. Disconnect: Isolate affected segments immediately. Do not reboot servers yet (memory forensics needed for encryption keys).\n2. Reset Credentials: Force reset for all privileged accounts, especially those used for VPN/Firewall management.\n3. Block Outbound: Temporarily block traffic to known file-sharing endpoints (Mega, Dropbox) and non-standard ports at the firewall.\n\n---\n\n## Hardening Recommendations\n\nImmediate (24h):\n* Patch Critical CVEs: Apply patches for CVE-2026-20131 (Cisco), CVE-2026-23760 (SmarterMail), and CVE-2019-6693 (Fortinet). If patching is not possible, disable external access to these management interfaces immediately (enforce VPN access to management ports only).\n* MFA Enforcement: Ensure all VPN, Email, and Firewall management portals have FIDO2 or hardware-token based MFA enabled.\n\nShort-term (2 weeks):\n* Network Segmentation: Move critical backup servers and management consoles to a dedicated management VLAN, strictly separated from the user LAN.\n* EDR Rollout: Ensure coverage on all servers, specifically legacy systems running older OS versions often targeted by these exploits.\n\n---\n\n## Related Resources\n\nSecurity Arsenal Incident Response\nManaged SOC & MDR Services\nAlertMonitor Threat Detection\nFrom The Dark Side Intel Hub\n