LOCKBIT5 Resurgent: Global Blitz on Healthcare & Manufacturing via Cisco & Citrix Exploits

Threat Level: CRITICAL Date: 2026-04-15 Targeted Regions: Americas (US, LATAM), Europe, Asia-Pacific

Threat Actor Profile — LOCKBIT5

Overview: LOCKBIT5 is the latest evolution of the notorious LockBit ransomware-as-a-service (RaaS) operation. Following law enforcement disruptions in 2024, the group has rebranded and refined their encryption algorithms and leak site operations. They operate on a high-affiliate-volume RaaS model, aggressively recruiting initial access brokers (IABs) to feed their victim pipeline.

TTPs & Behavior:

• Ransom Model: Double extortion. The gang exfiltrates sensitive data and threatens to release it if the ransom (typically ranging from $500k to $10M) is not paid. Encryption is swift and targets local backups.
• Initial Access: Heavily reliant on external-facing infrastructure vulnerabilities. This campaign shows a marked preference for exploiting edge devices like Firewalls (Cisco) and Gateways (Citrix), alongside traditional phishing and compromised VPN credentials.
• Dwell Time: Ranging from 3 days (opportunistic exploit) to 21 days (lateral movement/hunting).
• Tooling: Uses custom tools for data exfiltration (often utilizing rclone or Mega), PsExec for lateral spread, and Cobalt Strike beacons for C2.

Current Campaign Analysis

Sector Targeting: The latest dump of 27 victims indicates a pivot toward Healthcare and Manufacturing. Recent victims include:

• Healthcare: decaturdiagnosticlab.net (US), nucleodediagnostico.mx (MX), vitexpharma.com (Unknown).
• Manufacturing: cegasa.com (ES), shunhinggroup.com (HK), aplast.ro (RO), vitropor.pt (PT).
• Financial/Public: fondonorma.org.ve (VE), comunidadandina.org (PE).

Geographic Spread: While the US remains a primary target, LOCKBIT5 has demonstrated a significant capability to attack Latin American markets (Dominican Republic, Mexico, Venezuela, Peru) and European jurisdictions (Spain, Italy, Romania, Portugal, France).

Victim Profile: The targets are largely mid-market to large enterprises. The inclusion of fondonorma.org.ve (a financial standards body) and comunidadandina.org (a public sector international organization) suggests affiliates are actively hunting for high-value data caches rather than just quick encryption payouts.

CVE Exploitation Analysis: The correlation between recent victim postings and CISA KEV updates is alarming:

1. CVE-2026-20131 (Cisco Secure Firewall FMC): This deserialization vulnerability (added to KEV 2026-03-19) is a likely vector for the recent surge, allowing attackers to bypass perimeter defenses and gain management interface access.
2. CVE-2025-5777 (Citrix NetScaler ADC/Gateway): A historic favorite for ransomware groups; this OOB read vulnerability is being used to breach remote access infrastructure.
3. CVE-2026-23760 (SmarterMail): The authentication bypass is being leveraged to gain footholds in organizations hosting their own email infrastructure (common in Healthcare and Manufacturing).

Detection Engineering

SIGMA Rules

---
title: Potential Cisco Secure Firewall FMC Exploitation CVE-2026-20131
id: 3b5f8c21-0e9a-4a1b-9c5d-1a2b3c4d5e6f
description: Detects potential deserialization exploit attempts against Cisco Secure Firewall Management Center based on URI anomalies and suspicious user agents.
status: experimental
author: Security Arsenal Research
date: 2026/04/15
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
    product: apache
    service: http
detection:
    selection:
        cs-uri-query|contains:
            - '/api/fmc_config/v1/domain/'
            - '/api/fmc_platform/v1/auth/'
    filter_legit:
        sc-status:
            - 200
            - 201
            - 401
    exploit_indicators:
        cs-user-agent|contains:
            - 'python-requests'
            - 'curl'
            - 'scanners'
        |or|
        cs-uri-query|contains: 'serialization'
    condition: selection and not filter_legit and exploit_indicators
falsepositives:
    - Legitimate API testing by admins
level: high
---
title: SmarterMail Authentication Bypass Attempt CVE-2026-23760
id: a1b2c3d4-e5f6-4789-a012-34567890abcdef
description: Detects potential authentication bypass attempts on SmarterMail exploiting alternate path or channel vulnerabilities.
status: experimental
author: Security Arsenal Research
date: 2026/04/15
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
    service: smtp
detection:
    selection_uri:
        cs-uri-query|contains:
            - '/LiveServer/'
            - '/WebServices/'
    selection_auth:
        cs-method: 
            - 'POST'
            - 'GET'
    filter_suspicious:
        cs-cookie|contains: 'ASP.NET_SessionId'
    condition: selection_uri and selection_auth and not filter_suspicious
level: high
---
title: Ransomware Pre-Encryption Activity - VSS Deletion
id: 1a2b3c4d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
description: Detects commands used by ransomware gangs (including LockBit) to delete Volume Shadow Copies to prevent recovery.
status: stable
author: Security Arsenal Research
date: 2026/04/15
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\vssadmin.exe'
            - '\wmic.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - 'delete shadows'
            - 'shadowcopy delete'
            - 'Remove-WmiObject'
    condition: selection
falsepositives:
    - System administrator maintenance (rare)
level: critical

KQL (Microsoft Sentinel)

// Hunt for LockBit 5 lateral movement and staging
// Looks for SMB share creation, PsExec usage, and mass file copying
DeviceProcessEvents 
| where Timestamp > ago(7d)
| where FileName in~ ("psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe", "cmd.exe") 
| where ProcessCommandLine has_any ("create", "share", "shadow", "delete") 
       or (ProcessCommandLine has "Invoke-WebRequest" and ProcessCommandLine has_any ("-OutFile", "-o"))
| extend HostName = DeviceName
| project Timestamp, HostName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName
| order by Timestamp desc

PowerShell Response Script

<#
.SYNOPSIS
    LockBit 5 Rapid Response - Hunt for Persistence and VSS Status
.DESCRIPTION
    This script checks for scheduled tasks created in the last 7 days (common persistence)
    and verifies if Volume Shadow Copies are intact or suspiciously deleted.
#>

Write-Host "[+] Starting LockBit 5 Rapid Response Hunt..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in last 7 days
$CutoffDate = (Get-Date).AddDays(-7)
Write-Host "[*] Checking for Scheduled Tasks created/modified since: $CutoffDate" -ForegroundColor Yellow

Get-ScheduledTask | ForEach-Object {
    $Task = $_
    $TaskInfo = $Task | Get-ScheduledTaskInfo
    if ($TaskInfo.LastRunTime -gt $CutoffDate -or $TaskInfo.NextRunTime -gt $CutoffDate) {
        Write-Host "[!] Suspicious Task Found: $($Task.TaskName)" -ForegroundColor Red
        Write-Host "    Action: $($Task.Actions.Execute)" -ForegroundColor Gray
        Write-Host "    Author: $($Task.Author)" -ForegroundColor Gray
    }
}

# 2. Check Volume Shadow Copy Storage Usage
Write-Host "[*] Checking Volume Shadow Copy Status..." -ForegroundColor Yellow
try {
    $vss = vssadmin list shadows
    if ($vss -match "No shadows found") {
        Write-Host "[!] CRITICAL: No Volume Shadow Copies found. Potential VSS wipe." -ForegroundColor Red
    } else {
        $shadowCount = ($vss | Select-String "Shadow Copy Volume").Count
        Write-Host "[+] Found $shadowCount shadow copies." -ForegroundColor Green
    }
} catch {
    Write-Host "[-] Error running vssadmin." -ForegroundColor Red
}

Write-Host "[+] Hunt Complete." -ForegroundColor Cyan


---

Incident Response Priorities

Based on the LOCKBIT5 playbook observed in this campaign:

1. T-Minus Detection Checklist:

   • Immediate: Check VPN and Firewall logs for successful logins followed immediately by large-scale SMB file reads (internal reconnaissance).
   • Pre-Encryption: Look for vssadmin.exe delete shadows executions in EDR telemetry. This is the universal "point of no return" signal.
   • Exfil: Monitor for high-volume egress traffic to non-standard ports (often using rclone or encrypted tunnels) preceding encryption.

2. Critical Assets at Risk:

   • Healthcare: PACS imaging servers, EMR databases (SQL), patient billing systems.
   • Manufacturing: CAD design files, ERP systems (SAP/Oracle), intellectual property repositories.

3. Containment Actions (Urgency Order):

   • 1. Disconnect: Isolate affected management interfaces (Cisco FMC, Citrix ADC) from the network immediately.
   • 2. Disable Accounts: Suspend service accounts used by the exploited appliances (e.g., local admin accounts on FMC).
   • 3. Block IP: Block public IPs identified in the exploit logs at the perimeter firewall.

Hardening Recommendations

Immediate (Within 24 Hours):

• Patch CVE-2026-20131: Apply the Cisco Secure Firewall FMC patch immediately. Restrict management access to the FMC interface via ACL to specific internal subnets only.
• Patch CVE-2026-23760: Update SmarterMail instances to the latest patched version. Enable MFA on all email administration consoles.
• Citrix Configuration: Review Citrix NetScaler configurations for CVE-2025-5777 and apply mitigations if patching is delayed (e.g., robust ACLs).

Short-Term (2 Weeks):

• Network Segmentation: Ensure critical healthcare/manufacturing OT and IT systems are segmented from the general corporate network. Prevent lateral movement from the DMZ to the core.
• Implement Zero Trust: Require MFA for all internal admin access, specifically for edge management consoles.
• Backup Integrity: Verify that offline backups are immutable and test the restoration process for EMR and ERP databases.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub