LOCKBIT5 Surge: Global Campaign Targets Manufacturing and Healthcare via Cisco & SmarterMail Exploits

Date: 2026-04-17 Source: Ransomware.live / Dark Web Leak Sites Analyst: Security Arsenal Intel Unit

Threat Actor Profile — LOCKBIT5

• Aliases: LockBit 5.0, LockBitSupp (the persona remains active despite law enforcement actions).
• Operational Model: RaaS (Ransomware-as-a-Service). Highly decentralized affiliate model allowing diverse attack vectors.
• Ransom Demands: Variable, typically ranging from $500,000 to $5 million USD depending on victim revenue.
• Initial Access Vectors: Historically focused on exposed RDP and VPN vulnerabilities. Recent shift indicates heavy reliance on exploiting unpatched edge appliances (Firewalls, Email gateways) and valid credentials purchased from initial access brokers.
• Extortion Strategy: Aggressive double extortion. Data is exfiltrated using custom tools (e.g., StealBit) prior to encryption. Leak site pressure includes timer-based countdowns and publication of sensitive employee/corporate data.
• Dwell Time: Extremely short. LOCKBIT5 automates encryption; affiliates often move laterally and detonate payloads within 3–5 days of initial access to minimize defender response time.

Current Campaign Analysis

Recent Victimology (Last 100 Postings)

LOCKBIT5 has posted 26 new victims in the recent cycle, showing a distinct pivot toward specific verticals and geographies.

Confirmed Victims (Published 2026-04-03 to 2026-04-13):

• Healthcare: nucleodediagnostico.mx (MX), vitexpharma.com (Region ?)
• Manufacturing: cegasa.com (ES), shunhinggroup.com (HK), aplast.ro (RO), vitropor.pt (PT)
• Technology: wibeats.it (IT), pegasussrl.com (IT)
• Public Sector: comunidadandina.org (PE)
• Financial Services: fondonorma.org.ve (VE)
• Ag/Food: earthprotect.co.jp (JP)
• Hospitality: villa-romane.fr (FR)
• Other: marti.do (DO), seleniaravenna.it (IT), meyzietp.com (?)

Geographic Concentration

A heavy emphasis on Latin America (DO, MX, ES, VE, PE) and Europe (IT, RO, PT, FR), with significant outreach into Asia (JP, HK). This suggests affiliates are actively scanning for vulnerable endpoints across these regions.

Campaign Characteristics

• Sector Focus: Manufacturing (24%) and Healthcare (15%) represent the highest density of targets. These sectors are notoriously vulnerable to operational downtime, increasing the likelihood of ransom payment.
• CVE Correlation: The victimology strongly correlates with the recently exploited CVEs listed in the CISA KEV catalog.
  • CVE-2026-20131 (Cisco Secure Firewall): Likely entry point for wibeats.it and shunhinggroup.com (Tech/Manufacturing).
  • CVE-2026-23760 (SmarterTools SmarterMail): A probable vector for the Healthcare (nucleodediagnostico.mx) and Tech victims where email gateways are exposed externally.
  • CVE-2025-5777 (Citrix NetScaler): Classic perimeter exploitation consistent with the broad geographic spread.
• Escalation: High frequency of postings on April 3rd and April 13th indicates "bulk" encryption weekends, a hallmark of automated ransomware operations.

Detection Engineering

SIGMA Rules

Detection logic for recent exploit chains and LOCKBIT5 staging behaviors.

title: Potential Cisco FMC Deserialization Exploit CVE-2026-20131
id: 4a8d1f2b-9c8e-4f1a-b5d6-7e8g9h0i1j2k
description: Detects potential exploitation attempts of Cisco Secure Firewall Management Center deserialization vulnerability via suspicious web requests.
status: experimental
date: 2026/04/17
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/sfmgr/'
            - '/api/fmc_config/'
        sc-status:
            - 200
            - 500
    selection_content:
        cs-content-type|contains:
            'application/'
    condition: selection and selection_content
falsepositives:
    - Legitimate administrative API usage
level: high

tags:
    - attack.initial_access
    - cve.2026.20131
    - detection.emerging_threats
---
title: SmarterMail Authentication Bypass CVE-2026-23760
id: 5b9e2g3h-0i1j-4k5l-m6n7-o8p9q0r1s2t3
description: Detects SmarterMail authentication bypass attempts via alternate path or channel.
status: experimental
date: 2026/04/17
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection_uri:
        c-uri|contains:
            - '/SimpleAuth.aspx'
            - '/ResetPassword.aspx'
    selection_method:
        cs-method: 'POST'
    selection_suspicious:
        c-uri|contains:
            - '..%2F'
            - '%00'
    condition: selection_uri and selection_method and selection_suspicious
falsepositives:
    - None expected
level: critical

tags:
    - attack.initial_access
    - cve.2026.23760
    - web.attack
---
title: LOCKBIT5 Pre-Encryption Staging Activity
id: 6c0f3h4i-1j2k-5l6m-n7o8-p9q0r1s2t3u4
description: Detects typical LOCKBIT5 pre-encryption behavior including mass deletion of Volume Shadow Copies and use of tools like SharpHound or Rclone.
status: experimental
date: 2026/04/17
author: Security Arsenal
logsource:
    category: process_creation
detection:
    selection_vss:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    selection_tools:
        Image|endswith:
            - '\rclone.exe'
            - '\ SharpHound.exe'
            - '\ stealer.exe'
    selection_powershell:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'Remove-Item'
            - '-Recurse -Force'
            - 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'
    condition: 1 of selection
falsepositives:
    - Legitimate system administration (rare for vssadmin delete)
level: high

tags:
    - attack.impact
    - attack.exfiltration
    - ransomware.lockbit

KQL (Microsoft Sentinel)

Hunt for lateral movement and mass file modification indicative of ransomware preparation.

// Hunt for suspicious process execution chains common in LOCKBIT5 attacks
let ProcessList = dynamic(["vssadmin.exe", "wbadmin.exe", "bcdedit.exe", "taskkill.exe", "powershell.exe", "cmd.exe", "rclone.exe", "psexec.exe", "SharpHound.exe"]);
DeviceProcessEvents  
| where Timestamp >= ago(7d)  
| where FileName in~ ProcessList  
| where ProcessCommandLine has any("delete", "shadow", "copy", "stop", "compress", "encryption")  
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine  
| extend FullPath = FolderPath + FileName
| order by Timestamp desc

PowerShell Response Script

Rapid triage script to check for persistence mechanisms and Shadow Copy manipulation.

<#
.LOCKBIT5 Triage Script
.Description Checks for recent Shadow Copy deletions and suspicious scheduled tasks added in the last 24 hours.
#>

Write-Host "[+] Checking for VSS Administration Events (Shadow Copy Deletions)..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
Where-Object {$_.Message -like '*delete*' -or $_.Message -like '*shadow copy*'} |
Select-Object TimeCreated, Message | Format-List

Write-Host "[+] Enumerating Scheduled Tasks created in last 24 hours..." -ForegroundColor Cyan
$schTasks = Get-ScheduledTask | Where-Object {$_.Date -ge (Get-Date).AddHours(-24)}
if ($schTasks) {
    $schTasks | ForEach-Object {
        Write-Host "Task Name: $($_.TaskName)" -ForegroundColor Yellow
        Write-Host "Action: $($_.Actions.Execute)"
        Write-Host "Author: $($_.Author)"
        Write-Host "----------------------------------"
    }
} else {
    Write-Host "No new scheduled tasks found." -ForegroundColor Green
}

Write-Host "[+] Checking for common Ransomware extensions in user profiles..." -ForegroundColor Cyan
Get-ChildItem -Path C:\Users\ -Recurse -Include *.lockbit, *.locked, *.encrypted -ErrorAction SilentlyContinue | Select-Object FullName, LastWriteTime


---

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption)

1. Edge Device Logs: Immediate review of Cisco FMC, Citrix ADC, and SmarterMail logs for the specific IOCs mentioned in the Detection Engineering section.
2. Active Directory: Look for massive gpresult enumeration or SharpHound JSON files being written to disk.
3. Network Traffic: Hunt for outbound connections to known VPS providers and large, sustained data transfers (Exfiltration).

Critical Assets for Exfiltration

• Active Directory Database: Essential for credential cracking and future persistence.
• Financial Records: 2025/2026 Tax filings and Q1 financial statements are high leverage.
• R&D / IP: Crucial for Manufacturing and Tech victims.
• PII/PHI: High value for Healthcare victims (HIPAA implications).

Containment Actions (Order of Urgency)

1. Isolate Edge: Disconnect VPN concentrators and Firewalls from the management plane if compromise is suspected.
2. Disable Accounts: Suspend service accounts used for email gateways and firewall management immediately.
3. Network Segmentation: Sever links between IT and OT/SCADA networks immediately, especially for Manufacturing victims.

Hardening Recommendations

Immediate (24 Hours)

• Patch Critical CVEs: Apply patches for CVE-2026-20131 (Cisco FMC), CVE-2026-23760 (SmarterMail), and CVE-2025-5777 (Citrix) immediately.
• Disable MFA Bypass: Ensure all VPN and Email access enforces MFA with no bypass mechanisms.
• Block Internet Access: Restrict internet access for critical management servers (Firewall managers, Hypervisors).

Short-Term (2 Weeks)

• Zero Trust Architecture: Implement strict verification for every access request, particularly for management interfaces.
• EDR Deployment: Ensure full EDR coverage is active on legacy systems and edge appliances.
• Offline Backups: Verify that backups are truly immutable and offline. Test restoration procedures.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub