Back to Intelligence

FULCRUMSEC Ransomware: 2026-05 Campaign Targets US Healthcare & Tech via Mail Exploits

SA
Security Arsenal Team
May 1, 2026
6 min read

FULCRUMSEC is a rapidly evolving Ransomware-as-a-Service (RaaS) operation that emerged in late 2025. Unlike traditional affiliates who rely heavily on initial access brokers (IABs) selling VPN credentials, FULCRUMSEC operators demonstrate high technical proficiency in exploiting external-facing services, particularly email infrastructure.

  • Aliases: None confirmed (operates solely as FULCRUMSEC).
  • Operational Model: RaaS with an aggressive affiliate program.
  • Ransom Demands: Highly variable, ranging from $500k for mid-market Business Services to upwards of $10M for targeted Healthcare and Technology giants.
  • Initial Access: Heavily favors exploitation of unpatched edge services (Microsoft Exchange, SmarterMail) over phishing. Recent campaigns show a shift toward exploiting management interfaces (Cisco FMC).
  • Tactics: Aggressive double extortion. They typically exfiltrate 1-2TB of data via FTP/WebDAV tools before detonating encryption.
  • Dwell Time: Short. Average dwell time is approximately 3–5 days from initial exploit to encryption, leaving a narrow window for detection.

Current Campaign Analysis

Date of Activity: 2026-05-01 Victim Count: 15+ confirmed postings in the last 24 hours.

Sector Targeting

FULCRUMSEC has launched a broad-spectrum attack with a distinct pivot toward the Technology and Healthcare sectors in the US. Notable victims include Avnet (Tech), LexisNexis (Data/Bus. Services), and Lena Health (Healthcare). This suggests a strategic intent to maximize impact by targeting data-rich organizations.

Geographic Concentration

While the group maintains a global footprint with recent hits in Germany (Interzero), India (Saleskido), and Mexico (Nordstern Technologies), 80% of the victims in this surge are US-based.

Victim Profile

  • Size: Large Enterprise to Upper-Mid Market.
  • Revenue: Estimated $50M - $10B+ range based on targets like LexisNexis and Avnet.

CVE Linkage & Initial Access Vectors

The surge in victims correlates directly with the weaponization of recently added CISA KEV vulnerabilities:

  1. CVE-2023-21529 (Microsoft Exchange): Deserialization vulnerability allowing authenticated attackers to execute code. Given the targeting of large corporates, legacy Exchange servers remain a prime entry point.
  2. CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): These CVEs (File Upload and Auth Bypass) are likely the primary vectors for the Technology and Business Service victims hosting their own mail.
  3. CVE-2025-55182 (Meta React): Targeting SaaS and Tech firms utilizing React Server Components for web app exploitation.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential SmarterMail Exploitation CVE-2025-52691
description: Detects potential exploitation of SmarterMail unrestricted file upload vulnerability via suspicious IIS log patterns or file creation.
id: 0c7a8d9a-1b2c-3f4e-5d6a-7b8c9d0e1f2a
status: experimental
date: 2026/05/01
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140
        ShareName|contains: 'SmarterMail'
        RelativeTargetName|contains: 
            - '.aspx'
            - '.ashx'
            - '.asp'
    condition: selection
falsepositives:
    - Legitimate admin uploads
level: high
---
title: Microsoft Exchange Deserialization Exploit Attempt CVE-2023-21529
description: Detects suspicious activity related to Exchange Deserialization vulnerabilities, specifically looking for unusual processes spawned by w3wp.exe.
id: 1d8b0e1a-2c3d-4e5f-6a7b-8c9d0e1f2a3b
status: experimental
date: 2026/05/01
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\w3wp.exe'
        ParentImage|contains: '\ClientAccess\'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\whoami.exe'
    filter_legit:
        User|contains: 'SYSTEM' # Filter out standard system ops, requires tuning
    condition: selection_parent and selection_child and not filter_legit
falsepositives:
    - Administrative maintenance
level: critical
---
title: Ransomware VSS Shadow Copy Deletion
description: Detects commands used to delete Volume Shadow Copies, a common precursor to encryption by ransomware gangs like FULCRUMSEC.
id: 2e9c1f2b-3d4e-5f6a-7b8c-9d0e1f2a3b4c
status: experimental
date: 2026/05/01
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_keyword:
        CommandLine|contains:
            - 'vssadmin delete shadows'
            - 'wbadmin delete catalog'
            - 'bcdedit /set {default} recoveryenabled No'
    condition: selection_keyword
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and staging associated with FULCRUMSEC
// Looks for PsExec/WMI usage and large file transfers to non-standard paths
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in ("psexec.exe", "psexec64.exe", "wmic.exe")
| where FileName in ("cmd.exe", "powershell.exe", "rundll32.exe")
| extend HostName = DeviceName
| project Timestamp, HostName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
| join kind=inner (
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "winword.exe")
    | where FileSize > 1000000 // > 1MB staged files
    | project Timestamp, DeviceName, FileName, FolderPath, FileSize
) on DeviceName
| distinct Timestamp, HostName, FileName, FolderPath, FileSize, InitiatingProcessCommandLine

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    FULCRUMSEC Rapid Response Hardening Script
.DESCRIPTION
    Checks for exposed RDP, enumerates suspicious scheduled tasks (last 7 days), 
    and audits IIS/Exchange log patterns for recent exploitation.
#>

Write-Host "[+] Starting FULCRUMSEC Response Hardening..." -ForegroundColor Cyan

# 1. Check for recent Scheduled Tasks (Persistence)
Write-Host "[*] Checking for Scheduled Tasks created in last 7 days..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, TaskPath, Date, Author

# 2. Check for RDP Exposure (Network Profile)
Write-Host "[*] Checking Network Profiles for RDP exposure..." -ForegroundColor Yellow
Get-NetFirewallRule -DisplayName "Remote Desktop*" | 
    Where-Object {$_.Enabled -eq 'True' -and $_.Profile -match 'Any|Public'} | 
    Select-Object DisplayName, Profile, Direction

# 3. Audit IIS Logs for SmarterMail/Exchange Exploitation (Last 24h)
$logPaths = @("C:\inetpub\logs\LogFiles\", "C:\Program Files\Microsoft\Exchange Server\V15\Logging\")
$cutoffTime = (Get-Date).AddHours(-24)

foreach ($path in $logPaths) {
    if (Test-Path $path) {
        Write-Host "[*] Scanning $path for suspicious 500/400 errors..." -ForegroundColor Yellow
        Get-ChildItem -Path $path -Recurse -File -ErrorAction SilentlyContinue | 
        Where-Object {$_.LastWriteTime -gt $cutoffTime} | 
        Select-String -Pattern " (500|400) " | Select-Object -First 5 Path, Line
    }
}
Write-Host "[+] Script Complete." -ForegroundColor Green


---

# Incident Response Priorities

T-minus Detection Checklist

  • IIS/Exchange Logs: Immediate grep for POST requests to /ecp/, /owa/, or SmarterMail /Services/ endpoints ending with 500 or 401 errors in the last 72 hours.
  • Process Anomalies: Hunt for w3wp.exe spawning cmd.exe or powershell.exe.
  • File Staging: Look for mass file renames (.enc or random extensions) or the creation of zip files in C:\Windows\Temp or \ProgramData.

Critical Assets for Exfiltration

Based on the victim profile (Healthcare/Legal), FULCRUMSEC prioritizes:

  1. Electronic Health Records (EHR) Databases (SQL Server backups).
  2. Legal Document Repositories (LexisNexis style data stores).
  3. Intellectual Property (Source code repositories for Tech victims).

Containment Actions

  1. Segment Mail Servers: Immediately isolate Exchange and SmarterMail servers from the internet and internal network.
  2. Reset Service Account Credentials: Assume credentials for AD accounts running mail services are compromised.
  3. Block Outbound C2: Block traffic to known FULCRUMSEC C2 IPs and non-standard ports (e.g., 8080, 4443) at the firewall.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Edge Services: Apply patches for CVE-2023-21529, CVE-2025-52691, and CVE-2026-23760 immediately. If patching is impossible, disable external access to OWA/ECP and SmarterMail web interfaces until patched.
  • Disable Unused Features: Disable PowerShell Remoting (WinRM) on non-admin workstations and servers.

Short-term (2 Weeks)

  • Zero Trust Network Access (ZTNA): Implement ZTNA for VPN access; replace direct RDP/VPN access with application-level gateways.
  • Mail Server Segmentation: Move email infrastructure to a hardened DMZ with strict egress rules.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangfulcrumsecransomwarehealthcareexchange-exploitationsmartermaildouble-extortion

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action