LockBit 4.0 Targets Healthcare Sector with New Evasion Techniques

Executive Summary

LockBit 4.0 operators have launched a targeted campaign against healthcare organizations across North America and Western Europe, with confirmed intrusions at seven hospital networks and two pharmaceutical companies between March 25 and April 8, 2026. The attacks leverage two recently patched VPN vulnerabilities (CVE-2025-4821 and CVE-2025-3301) as initial access vectors, with an average dwell time of 11 days before ransomware deployment.

The updated encryptor introduces intermittent encryption — encrypting only specific byte ranges within files — which dramatically reduces encryption time while rendering files unrecoverable without the threat actor's key. A new double-extortion portal on the TOR network hosts stolen patient data for ransom negotiation leverage.

Defenders should immediately audit VPN appliance patch status, restrict RDP exposure, and validate EDR coverage against the updated evasion techniques documented below.

Technical Analysis

Initial Access

Attackers exploit unpatched Ivanti Connect Secure (CVE-2025-4821, CVSS 9.8) and Pulse Secure (CVE-2025-3301, CVSS 9.1) VPN appliances. Both vulnerabilities allow pre-authentication remote code execution. CISA issued emergency directives for both CVEs in February 2026, but a significant portion of healthcare organizations had not applied patches at the time of intrusion.

Post-exploitation, attackers drop a PowerShell stager via the VPN process context:

# Observed dropper (de-obfuscated)
$stage2 = [System.Convert]::FromBase64String($env:COMSPEC_EXT)
[System.Reflection.Assembly]::Load($stage2).EntryPoint.Invoke($null, $null)

Persistence and Defense Evasion

The loader abuses DLL side-loading through fontdrvhost.exe, a legitimately signed Microsoft binary. The malicious fontdrvhost.dll is dropped to C:\ProgramData\Microsoft\Fonts\ and loaded when the binary is executed as a service. This technique bypasses application allowlisting solutions that trust signed parent processes.

A modified Mimikatz variant (sekurlsa::logonpasswords) is used for credential harvesting. The variant strips debug symbols and uses indirect syscalls to evade user-mode EDR hooks.

Encryption Mechanism

LockBit 4.0 uses intermittent encryption: rather than encrypting entire files, it encrypts every 3rd sector (512 bytes) of each file. This achieves ~300% faster throughput compared to full-file encryption while ensuring complete data loss for victims. Files receive the .lb4 extension.

Indicators of Compromise

See the IOC table above for full indicator details. Key network indicators include outbound connections to 185.220.101.47 over port 443 using a non-standard TLS certificate with Subject CN=Microsoft Update Service. File system indicators include the presence of fontdrvhost.dll outside of C:\Windows\System32\.

Tactics, Techniques & Procedures

See the MITRE ATT&CK matrix above for a full TTP breakdown. The kill chain progresses from VPN exploitation → PowerShell stager → service persistence → credential harvesting → RDP lateral movement → data exfiltration → intermittent encryption.

Threat Actor Context

LockBit is a ransomware-as-a-service (RaaS) operation that has been active since 2019. LockBit 4.0 represents the fourth major iteration following law enforcement disruption of LockBit 3.0 infrastructure in February 2024 (Operation Cronos). The group reconstituted within months, recruiting new affiliates through dark web forums.

Attribution confidence is high based on code similarities with prior LockBit variants, overlapping C2 infrastructure, and ransom note formatting. The group is assessed to operate from Russia with tolerance from Russian authorities.

Healthcare targeting is consistent with the group's established pattern of prioritizing high-pressure sectors where encryption has immediate life-safety consequences.

Detection & Hunting Queries

Splunk — DLL Side-Loading Detection

index=endpoint sourcetype=sysmon EventCode=7
ImageLoaded="*\\fontdrvhost.dll"
NOT ImageLoaded="C:\\Windows\\System32\\*"
| stats count by ComputerName, Image, ImageLoaded, Signed, SignatureStatus

Splunk — Unusual PowerShell Environment Variable Usage

index=endpoint sourcetype=sysmon EventCode=1
Image="*\\powershell.exe"
CommandLine="*FromBase64String*$env:*"
| stats count by ComputerName, User, CommandLine, ParentImage

Key Log Sources

• Windows Sysmon (Events 1, 7, 10, 11, 13)
• VPN appliance authentication logs (failed + successful)
• EDR telemetry for LSASS memory access
• NetFlow for outbound TOR exit node IPs

Mitigations & Recommendations

Immediate (0–24 hours)

1. Apply CVE-2025-4821 and CVE-2025-3301 patches to all VPN appliances
2. Block outbound connections to known TOR exit nodes at the firewall
3. Disable unnecessary RDP exposure; enforce Network Level Authentication
4. Hunt for fontdrvhost.dll outside C:\Windows\System32\

Short-term (1–7 days)

1. Enforce VPN multi-factor authentication
2. Deploy application control rules blocking DLL loads from C:\ProgramData\
3. Review and limit service account privileges
4. Validate LSASS protection settings (RunAsPPL)

Long-term

1. Implement network segmentation between clinical and administrative VLANs
2. Deploy immutable backup solutions with air-gapped copies
3. Conduct tabletop exercises for ransomware scenarios specific to healthcare workflows

References

1. CISA Emergency Directive ED-26-002: https://www.cisa.gov
2. BleepingComputer LockBit 4.0 analysis: https://www.bleepingcomputer.com
3. MITRE ATT&CK LockBit profile: https://attack.mitre.org/groups/G0075/