Back to Intelligence

LOCKBIT5 Surge: 15 New Victims Across Manufacturing & Healthcare — Exploitation of Cisco FMC & Check Point Flaws Confirmed

SA
Security Arsenal Team
June 20, 2026
7 min read

Intelligence Level: RED | Source: Ransomware.live Leak Site Monitoring | Date: 2026-06-20

Threat Actor Profile — LOCKBIT5

LockBit5 represents the continued evolution of the notorious LockBit operation (historically LockBit 2.0/3.0). Despite law enforcement disruptions, the brand remains active in 2026 under this moniker.

  • Model: RaaS (Ransomware-as-a-Service). The core development team maintains the encryptor and leak site while recruiting affiliates for initial access.
  • Ransom Demands: Variable, typically calculated as a percentage of the victim's annual revenue (often 3-5%) or ranging from $500k to multi-million dollars for critical infrastructure.
  • Initial Access Vectors: Heavily reliant on exploiting unpatched perimeter vulnerabilities (VPN, Firewall appliances), compromised valid credentials via phishing, and supply chain attacks via RMM tools (like ScreenConnect).
  • Extortion Strategy: Double extortion is standard. Victims' data is dumped on the onion site if negotiations fail. LockBit5 has also been observed engaging in triple extortion (DDoS attacks and harassment of victim clients).
  • Average Dwell Time: Historically short (3-7 days) for opportunistic affiliates, but sophisticated actors using valid credentials may dwell for weeks to months establishing persistence before detonation.

Current Campaign Analysis

Analysis of the last 100 postings and the specific victim dump from 2026-06-17 to 2026-06-19 indicates a high-velocity campaign with diverse targeting.

Sector Targeting

The campaign is broad, but specific verticals are receiving focused attention:

  • Manufacturing (High Priority): 4 victims (venelectronics.com, union-chemical.co.th, parampackaging.com). Suggests a focus on intellectual property and operational disruption.
  • Healthcare (High Priority): 3 victims (teleton.org.hn, sanatoriodelta.com, primelinkbio.com). High-value targets due to the critical nature of patient data.
  • Public Sector: saude.mt.gov.br (BR).
  • Business Services & Education: sra.nl, saico.co.th, utb.edu.vn.

Geographic Concentration

  • Primary Zones: Southeast Asia (TH, VN, TW), South America (VE, BR), and Europe (NL, AT).
  • Notable: The targeting of sra.nl (Netherlands) and weinwurm.cc (Austria) suggests active probing of European networks, possibly leveraging the CVE-2026-50751 (Check Point) vulnerability prevalent in European enterprise environments.

Victim Profile

The victims range from mid-sized entities (e.g., local chemical suppliers, regional hospitals) to government bodies. This suggests a mix of automated vulnerability scanning (for CVE exploitation) and human-operated targeting.

Campaign Velocity

  • Posting Frequency: A "bulk dump" occurred on 2026-06-17 with 14 victims, followed by a single addition on 2026-06-19. This pattern suggests a "Weekend Warrior" affiliate operation or a bulk-encryption event following a period of lateral movement.

CVE Correlation & Initial Access

Based on the CISA KEV list provided and victim profiles, the following vectors are highly probable for this campaign:

  • CVE-2026-20131 (Cisco Secure Firewall FMC): Critical for perimeter breach. The victim sparkinter.com (Technology) and others likely utilize enterprise firewalls vulnerable to this deserialization flaw.
  • CVE-2026-50751 (Check Point Security Gateway): Allows unauthenticated VPN bypass. Given the geographic spread involving international trade (Manufacturing), VPN exploitation is a likely ingress point.
  • CVE-2024-1708 (ConnectWise ScreenConnect): frequently used to jump from Managed Service Providers (MSPs) into end-clients like primelinkbio.com or union-chemical.co.th.

Detection Engineering

SIGMA Rules

YAML
title: Potential Cisco FMC Deserialization Exploit (CVE-2026-20131)
id: 4f8c2a1d-6b3e-4c5d-9e1f-2a3b4c5d6e7f
description: Detects potential exploitation of Cisco Secure Firewall Management Center deserialization vulnerability via suspicious process spawns or webshell-like activity.
status: experimental
date: 2026/06/20
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
tags:
    - cve.2026.20131
    - attack.initial_access
    - attack.t1190
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\\\java.exe'
        Image|endswith:
            - '\\\cmd.exe'
            - '\\\powershell.exe'
            - '\\\pwsh.exe'
    condition: selection
falsepositives:
    - Legitimate administration tasks by Java-based management consoles
level: high

---
title: LockBit5 Lateral Movement via PsExec or WMI
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects typical LockBit lateral movement patterns using PsExec or WMI for remote deployment.
status: experimental
date: 2026/06/20
author: Security Arsenal Research
references:
    - https://attack.mitre.org/techniques/T1021/002/
tags:
    - attack.lateral_movement
    - attack.t1021.002
    - ransomware
logsource:
    category: process_creation
    product: windows
detection:
    selection_psexec:
        Image|endswith: '\\\psexec.exe'
        CommandLine|contains: '-accepteula'
    selection_wmi:
        Image|endswith: '\\\wmic.exe'
        CommandLine|contains: 'process call create'
    selection_suspicious_target:
        CommandLine|contains:
            - 'Admin$'
            - 'C:\\\Windows\\\Temp'
    condition: 1 of selection*
falsepositives:
    - System administration
level: high

---
title: Ransomware Shadow Copy Deletion via VssAdmin
id: 9e8f7a6b-5c4d-3e2f-1a0b-9c8d7e6f5a4b
description: Detects commands used by LockBit and other ransomware to delete Volume Shadow Copies to prevent recovery.
status: experimental
date: 2026/06/20
author: Security Arsenal Research
references:
    - https://attack.mitre.org/techniques/T1490/
tags:
    - attack.impact
    - attack.t1490
    - ransomware
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\\\vssadmin.exe'
            - '\\\wbadmin.exe'
        CommandLine|contains:
            - 'delete shadows'
            - 'delete catalog'
    condition: selection
falsepositives:
    - Legitimate backup management scripts
level: critical

KQL Hunt Query (Microsoft Sentinel)

Hunt for suspicious lateral movement and staging patterns indicative of pre-ransomware activity.

KQL — Microsoft Sentinel / Defender
let TimeFrame = 1h;
// Hunt for unusual SMB access patterns often used in exfil
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort in (445, 139)
| where ActionType == \"InboundConnectionAccepted\"
| summarize Count = count(), DistinctIPs = dcount(RemoteIP) by DeviceName, InitiatingProcessAccountName
| where Count > 100 and DistinctIPs > 2
| join kind=inner (
    // Correlate with process creation for PsExec/WMI
    DeviceProcessEvents 
    | where Timestamp > ago(TimeFrame) 
    | where FileName in~ (\"psexec.exe\", \"wmic.exe\", \"powershell.exe\")
) on DeviceName
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessAccountName, Count, DistinctIPs

Rapid Response PowerShell Script

Enumerate scheduled tasks created in the last 7 days and check for active Volume Shadow Copy manipulation.

PowerShell
# Check for recently scheduled tasks (Persistence)
Write-Host \"[+] Checking for Scheduled Tasks created in last 7 days...\" -ForegroundColor Yellow
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) } | Select-Object TaskName, Date, Author, Actions

# Check for recent Volume Shadow Copy Deletion attempts (Event ID 1 from Sysmon or general process audit)
Write-Host \"[+] Checking Event Logs for VssAdmin/Wbadmin deletion attempts...\" -ForegroundColor Yellow
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($Events) {
    $SuspiciousCommands = $Events | Where-Object { $_.Message -match 'vssadmin.exe' -or $_.Message -match 'wbadmin.exe' } | 
    Where-Object { $_.Message -match 'delete' }
    if ($SuspiciousCommands) {
        Write-Host \"[CRITICAL] Detected Shadow Copy Deletion Commands:\" -ForegroundColor Red
        $SuspiciousCommands | Select-Object TimeCreated, Message
    } else {
        Write-Host \"No deletion attempts found in Security Logs.\" -ForegroundColor Green
    }
} else {
    Write-Host \"[-] No process creation logs found in Security channel.\" -ForegroundColor Gray
}


---

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption)

  • Process Anomalies: Look for rclone or winscp processes executing on servers—they are often used for staged exfiltration before encryption.
  • Credential Dumping: Monitor for procdump or mimikatz activity against LSASS.
  • Mass File Modification: Watch for processes modifying thousands of files in < 1 minute (often looks like \.exe or random_string.exe touching .doc, .pdf, .db files).

Critical Assets Prioritized for Exfiltration

Based on LockBit5 history:

  1. Patient Records (Healthcare): High leverage for double extortion.
  2. CAD/CAM Designs (Manufacturing): Intellectual Property is high value.
  3. Financial Systems: Accounts payable/receivable databases.

Containment Actions

  1. Isolate VLANs: Immediately segment the affected subnet from the core network.
  2. Disable VPN/RDP: Revoke all VPN access and disable RDP on domain controllers and critical servers immediately if an intrusion is suspected.
  3. Suspend Active Directory Accounts: Suspend accounts of domain admins and service accounts associated with the impacted systems.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical CVEs: Deploy patches for CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC) immediately. If patching is not possible, disable affected services (IKEv1 for Check Point, or restrict management interface access for FMC).
  • Secure RMM Tools: Enforce MFA on all ConnectWise ScreenConnect (CVE-2024-1708) and similar remote management portals. Change all local admin passwords used by these tools.

Short-term (2 Weeks)

  • Network Segmentation: Ensure ICS/SCADA (Manufacturing) and Patient Data (Healthcare) networks are strictly segmented from the general IT network.
  • Phishing Resilience: Conduct immediate security awareness training focused on identifying credential harvesting emails, as phishing remains a top vector for LockBit affiliates.
  • Audit External Attack Surface: Scan for exposed RDP (3389) and SMB (445) ports facing the public internet and close them.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-ganglockbit5ransomwarecve-2026-20131manufacturinghealthcareinitial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action