Back to Intelligence

LOCKBIT5 Resurgent: Aggressive Surge in Healthcare & Manufacturing — Critical CVE Exploitation & Detection Protocols

SA
Security Arsenal Team
April 14, 2026
7 min read

Aliases & Operations: LOCKBIT5 (believed to be the successor or rebrand of LockBit 3.0/Supp) continues to operate a sophisticated Ransomware-as-a-Service (RaaS) model. Unlike closed groups, they aggressively recruit affiliates, resulting in a high volume of diverse victims. Despite law enforcement disruption attempts in previous years, the core developers have resurfaced with improved encryption code and obfuscation techniques.

Tactics & Economics:

  • Ransom Demands: Variable, typically ranging from $500,000 to $5 million USD depending on victim revenue and data sensitivity.
  • Initial Access: Heavily reliant on exploiting vulnerabilities in external-facing appliances (VPNs, Firewalls, Email gateways). The current campaign specifically leverages CVE-2026-20131 (Cisco FMC), CVE-2026-23760 (SmarterMail), and CVE-2025-5777 (Citrix NetScaler). Phishing with macro-laden documents remains a secondary vector for less technically mature targets.
  • Double Extortion: Standard protocol involves exfiltrating sensitive data (PHI, IP, financial records) to their leak site prior to encryption, followed by pressure campaigns contacting victims' clients and partners.
  • Dwell Time: Automation has reduced their average dwell time to under 72 hours from initial access to encryption, though manual affiliates may linger for weeks to maximize data theft.

Current Campaign Analysis

Sector Targeting: Analysis of the last 100 postings reveals a distinct pivot toward Healthcare (decaturdiagnosticlab.net, nucleodediagnostico.mx, vitexpharma.com) and Manufacturing (cegasa.com, shunhinggroup.com, vitropor.pt). This suggests affiliates are targeting sectors with low tolerance for downtime, likely increasing the likelihood of ransom payment.

Geographic Spread: While historically focused on the US and Western Europe, this specific batch shows a concerning spread into the Caribbean and Latin America (DO, MX, VE, PE). Victims like marti.do (Dominican Republic) and fondonorma.org.ve (Venezuela) indicate a broadening of the target scope, potentially exploiting regional gaps in patch management for perimeter appliances.

Victim Profile: The victims range from mid-market diagnostic labs to large manufacturing conglomerates. The inclusion of comunidadandina.org (Public Sector/Peru) and wibeats.it (Technology) suggests a "spray and pray" approach regarding specific verticals, focusing instead on vulnerable internet-facing infrastructure rather than industry espionage.

Exploitation Correlation: There is a high-confidence correlation between the recent victim surge and the exploitation of CVE-2026-23760 (SmarterMail) and CVE-2026-20131 (Cisco FMC). Several victims in the Technology and Hospitality sectors (likely running their own mail or firewall infrastructure) align with the release dates of these CISA KEV vulnerabilities.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Cisco FMC Deserialization Exploit CVE-2026-20131
id: 8a7c6d5e-4f3b-2a1c-9d8e-0f1a2b3c4d5e
description: Detects potential exploitation of CVE-2026-20131 in Cisco Secure Firewall Management Center via suspicious URI patterns or deserialization anomalies.
author: Security Arsenal Research
date: 2026/04/14
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/api/fmc_config/v1/domain/'
            - '/api/fmc_platform/v1/auth/generatetoken'
    filter_legit:
        sc-status|contains:
            - '200'
            - '401'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative API usage (validate source IP)
level: critical
---
title: SmarterMail Authentication Bypass Attempt CVE-2026-23760
date: 2026/04/14
id: 9b8d7e6f-5g4c-3b2d-0e9f-1g2h3i4j5k6l
description: Detects suspicious authentication bypass attempts on SmarterMail servers indicative of CVE-2026-23760 exploitation.
author: Security Arsenal Research
status: stable
logsource:
    product: smtp
    service: smtp
detection:
    selection_uri:
        c-uri|contains: '/Services/MailService.asmx'
    selection_method:
        c-method: 'POST'
    selection_keywords:
        c-uri|contains:
            - 'AuthenticateUser'
            - 'GetAutoCompleteResults'
    filter_legit_ip:
        src-ip|cidr:
            - '192.168.0.0/16'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
    condition: selection_uri and selection_method and selection_keywords and not filter_legit_ip
falsepositives:
    - External misconfigured mail clients
level: high
---
title: LockBit5 Process Execution Patterns
date: 2026/04/14
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects characteristic process execution patterns used by LockBit5 affiliates, including SharpHound, Cobalt Strike beacons, and the ransomware binary itself.
author: Security Arsenal Research
logsource:
    category: process_creation
    product: windows
detection:
    selection_recon:
        Image|endswith:
            - '\SharpHound.exe'
            - '\Rubeus.exe'
            - '\Seatbelt.exe'
    selection_lateral:
        Image|endswith:
            - '\psexec.exe'
            - '\psexec64.exe'
            - '\wmic.exe'
        CommandLine|contains:
            - 'nodeAndChild'
            - 'process call create'
    selection_ransomware:
        Image|endswith:
            - '.exe'
        CommandLine|contains:
            - '-stop'
            - '-delete'
            - 'shadowcopy'
    condition: 1 of selection_
falsepositives:
    - Legitimate administrative tasks (rare for all combined)
level: critical

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for potential LockBit5 lateral movement and staging
// Focuses on wmi/psexec usage and mass file modification events
let TimeFrame = ago(7d);
DeviceProcessEvents
| where Timestamp >= TimeFrame
| where (FileName in~ ("psexec.exe", "psexec64.exe", "wmiprvse.exe", "wmi.exe") or 
        InitiatingProcessFileName in~ ("psexec.exe", "powershell.exe", "cmd.exe"))
| where ProcessCommandLine has any("nodeAndChild", "process call create", "invoke-command")
| extend HostName = DeviceName
| project Timestamp, HostName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| join kind=inner (
    DeviceFileEvents 
    | where Timestamp >= TimeFrame 
    | where ActionType == "FileCreated" 
    | where FileName endswith ".locked" or FileName endswith ".lockbit" or InitiatingProcessFileVersionInfoInternalName =~ "LockBit"
    | summarize Count() by DeviceName, bin(Timestamp, 1m)
) on HostName
| project Timestamp, HostName, AccountName, ProcessCommandLine, RansomwareActivityCount = Count_

Rapid Response PowerShell Script

PowerShell
<#
.SYNOPSIS
    LockBit5 Incident Response - Check for common IOCs and persistence mechanisms.
.DESCRIPTION
    This script checks for recent scheduled tasks (common persistence), Shadow Copy manipulation 
    (pre-encryption), and suspicious network connections often associated with LockBit affiliates.
#>

Write-Host "[+] Starting LockBit5 Rapid Response Checks..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in the last 7 days
Write-Host "\n[*] Checking for Scheduled Tasks created/modified in the last 7 days..." -ForegroundColor Yellow
$dateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object { $_.Date -gt $dateCutoff -or $_.LastRunTime -gt $dateCutoff } | 
    Select-Object TaskName, Date, LastRunTime, TaskPath, Author | Format-Table -AutoSize

# 2. Check Volume Shadow Copies (LockBit deletes them using vssadmin)
Write-Host "\n[*] Checking Volume Shadow Copy status..." -ForegroundColor Yellow
try {
    $vss = vssadmin list shadows
    if ($vss -like "*No shadow copies found*" -or $null -eq $vss) {
        Write-Host "[!] ALERT: No Shadow Copies found. Possible deletion." -ForegroundColor Red
    } else {
        Write-Host "[+] Shadow Copies present." -ForegroundColor Green
        # Check for recent vssadmin delete events in Event Log (if available)
        $events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=$dateCutoff} -ErrorAction SilentlyContinue |
                   Where-Object { $_.Message -match 'vssadmin.exe' -and $_.Message -match 'delete' }
        if ($events) { Write-Host "[!] ALERT: Found evidence of vssadmin delete commands in logs." -ForegroundColor Red }
    }
} catch {
    Write-Host "[-] Could not query VSS." -ForegroundColor Gray
}

# 3. Check for common LockBit process extensions/files
Write-Host "\n[*] Scanning C:\ for .lockbit or .locked files..." -ForegroundColor Yellow
$lockFiles = Get-ChildItem -Path C:\ -Recurse -Include *.lockbit, *.locked -ErrorAction SilentlyContinue
if ($lockFiles) {
    Write-Host "[!] CRITICAL: Encrypted files found!" -ForegroundColor Red
    $lockFiles | Select-Object FullName, CreationTime | Format-Table
} else {
    Write-Host "[+] No encrypted extensions found on C: drive." -ForegroundColor Green
}

Write-Host "\n[+] Scan Complete." -ForegroundColor Cyan


---

# Incident Response Priorities

1.  **T-Minus Detection Checklist:**
    *   **Perimeter Logs:** Immediately review VPN and Firewall logs for indicators of exploit against **Cisco FMC (CVE-2026-20131)**, **Citrix NetScaler (CVE-2025-5777)**, and **SmarterMail (CVE-2026-23760)**.
    *   **Active Directory:** Look for spike in failed authentication events (Golden Ticket attacks or brute force).
    *   **Process Artifacts:** Hunt for `SharpHound` (BloodHound) execution, indicating privilege escalation discovery.

2.  **Critical Assets at Risk:**
    *   LockBit5 historically prioritizes **Electronic Health Records (EHR)** databases (Healthcare victims) and **CAD/Design files** (Manufacturing victims).
    *   Financial backups and SQL Server databases are targeted for immediate encryption.

3.  **Containment Actions (Urgency Order):**
    *   **Isolate:** Disconnect external-facing appliances (VPN, Firewalls, Email Gateways) from the internal network immediately if logs show anomalies.
    *   **Disable Accounts:** Suspend service accounts associated with the exploited appliances (e.g., LDAP/SQL accounts used by SmarterMail or Cisco FMC).
    *   **Segment:** Ensure VLAN segmentation is strictly enforced to prevent SMB lateral movement (PsExec/WMI).

---

# Hardening Recommendations

**Immediate (24 Hours):**
*   **Patch:** Apply patches for **CVE-2026-20131** (Cisco FMC), **CVE-2026-23760** (SmarterMail), and **CVE-2025-5777** (Citrix) immediately. Disable access to management interfaces from the internet if patching is delayed.
*   **MFA Enforcement:** Enforce Multi-Factor Authentication (MFA) on all VPN, Remote Desktop (RDP), and webmail logins.
*   **Audit Admins:** Review administrative privileges for accounts associated with recently compromised devices.

**Short-Term (2 Weeks):**
*   **Network Segmentation:** Move management interfaces (Firewall managers, Mail gateway admins) to a dedicated "Admin VLAN" with strict jump-host access requirements.
*   **EDR Deployment:** Ensure Endpoint Detection and Response (EDR) coverage is 100% on critical servers, specifically looking for "Living off the Land" (LotL) binaries (PowerShell, WMI, PsExec).
*   **Backup Verification:** Validate offline backups are immutable and test restoration procedures for EHR/ERP systems.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-ganglockbit5ransomware-as-a-servicecve-2026-20131smartermailhealthcareinitial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action