Back to Intelligence

FULCRUMSEC Ransomware: Critical Campaign Targeting US Tech & Healthcare Sectors

SA
Security Arsenal Team
May 3, 2026
6 min read

Date: 2026-05-03
Source: Ransomware.live / Dark Web Leak Site Monitoring
Analyst: Security Arsenal Intel Team

Executive Summary

FULCRUMSEC has posted 15 new victims to their dark web leak site between May 1 and May 3, 2026. This represents a significant acceleration in activity, with a distinct focus on United-based entities in the Technology, Healthcare, and Business Services sectors. Intelligence suggests the group is actively exploiting recently disclosed CISA Known Exploited Vulnerabilities (KEV) affecting Microsoft Exchange Server and SmarterTools SmarterMail to gain initial access.

Threat Actor Profile — FULCRUMSEC

  • Model: Ransomware-as-a-Service (RaaS) with a decentralized affiliate network.
  • Aliases: None confirmed; operates primarily under the FULCRUMSEC moniker.
  • Ransom Demands: Highly variable, typically ranging from $500,000 to $5 million USD depending on victim revenue.
  • Initial Access: Heavy reliance on external remote services (VPN exploitation) and exploits against internet-facing email infrastructure (Exchange, SmarterMail).
  • Extortion Strategy: Aggressive double extortion. Victims are given 72-96 hours to negotiate before data leaks. FULCRUMSEC maintains a dedicated "Wall of Shame" for non-compliant victims.
  • Dwell Time: Estimated 3–7 days. The group moves rapidly from initial access to data exfiltration to encryption.

Current Campaign Analysis

Sector & Geographic Focus

  • Top Sectors: Technology (33%), Healthcare (20%), Business Services (27%).
  • Geography: 73% of recent victims are US-based. International targets include Mexico, India, Germany, and the Netherlands.
  • Victim Profile: Mix of mid-market to large enterprise. Recent victims include major data processors (LexisNexis), healthcare providers (Lena Health, Woundtech), and component manufacturers (Analog Gold).

Observed Tactics & CVE Correlation

The correlation between recent victim sectors and the CVEs added to the CISA KEV list in early 2026 is strong.

  1. CVE-2023-21529 (Microsoft Exchange Deserialization): Being used to target Business Services and Technology firms reliant on on-premise Exchange servers.
  2. CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): Critical vulnerability cluster allowing unauthorized file upload and authentication bypass. This is likely the primary vector for the Healthcare and Business Services victims posted on May 1.
  3. CVE-2026-20131 (Cisco Secure Firewall Management Center): Used for perimeter breach in organizations with legacy firewall management interfaces exposed.

Escalation Pattern

FULCRUMSEC postings follow a distinct "batch" pattern. After a period of low activity (2-3 days), they release a mass of victim profiles simultaneously to overwhelm security teams and maximize media pressure.

Detection Engineering

Sigma Rules

Detection logic tailored to FULCRUMSEC's observed abuse of Exchange deserialization, SmarterMail upload vulnerabilities, and standard lateral movement tooling.

YAML
---
title: Potential Exchange Server Deserialization Exploit (FULCRUMSEC)
id: 2f8e9a10-1b3c-4d5e-8f9a-1b2c3d4e5f6a
description: Detects potential exploitation of CVE-2023-21529 or similar deserialization vulnerabilities in Microsoft Exchange Server via suspicious w3wp.exe process activity.
status: experimental
date: 2026/05/03
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|contains: '\\w3wp.exe'
        ParentProcessName|contains: '\\System32\\inetsrv\\w3wp.exe'
    filter_legit:
        CommandLine|contains:
            - 'AppPool'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate Exchange administration
level: high
tags:
    - attack.initial_access
    - cve.2023.21529
    - fulcrumsec
---
title: SmarterMail Unrestricted File Upload Activity
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects suspicious file upload patterns to SmarterMail endpoints indicative of CVE-2025-52691 exploitation.
status: experimental
date: 2026/05/03
author: Security Arsenal
logsource:
    product: web
    service: iis
detection:
    selection_uri:
        cs-uri-stem|contains:
            - '/Services/MailBox.asmx'
            - '/MRS/Proxy'
    selection_method:
        cs-method: 'POST'
    selection_ext:
        cs-uri-query|contains:
            - '.aspx'
            - '.ashx'
    filter:
        cs-host|endswith: '.smartermail.com' # Adjust to whitelist legitimate FQDNs
    condition: selection_uri and selection_method and selection_ext and not filter
falsepositives:
    - Legitimate webmail access
level: critical
tags:
    - attack.initial_access
    - cve.2025.52691
    - fulcrumsec
---
title: Ransomware Lateral Movement via WMI (FULCRUMSEC)
id: b2c3d4e5-6789-01ab-cdef-234567890abc
description: Detects lateral movement using WMI command line invocation, a common FULCRUMSEC technique for internal spread.
status: experimental
date: 2026/05/03
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\\wmiprvse.exe'
        ParentProcessName|contains: 'svchost.exe'
        CommandLine|contains:
            - 'Invoke-CimMethod'
            - 'Win32_Process'
    condition: selection
falsepositives:
    - System administration scripts
level: high
tags:
    - attack.lateral_movement
    - attack.t1021.006
    - fulcrumsec

KQL (Microsoft Sentinel)

Hunt for indicators of data staging and pre-encryption activity associated with FULCRUMSEC.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessName in~ ("vssadmin.exe", "wbadmin.exe", "bcdedit.exe")
| where ProcessCommandLine contains "delete" and ProcessCommandLine contains "shadow"
| extend DeviceCustom = parse_(AdditionalFields)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

PowerShell Rapid Response

Script to identify scheduled tasks created in the last 7 days, often used by FULCRUMSEC for persistence.

PowerShell
# Check for Scheduled Tasks created in the last 7 days
$DateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | ForEach-Object {
    $Task = $_
    $TaskInfo = $Task | Get-ScheduledTaskInfo
    if ($TaskInfo.LastRunTime -gt $DateCutoff -or $Task.Date -gt $DateCutoff) {
        [PSCustomObject]@{
            TaskName = $Task.TaskName
            TaskPath = $Task.TaskPath
            LastRunTime = $TaskInfo.LastRunTime
            DateCreated = $Task.Date
            Author = $Task.Author
            Actions = ($Task.Actions.Execute -join ', ')
        }
    }
}

Incident Response Priorities

T-Minus Detection Checklist:

  1. Exchange/IIS Logs: Immediate review of Exchange Unified Logging or IIS logs for HTTP 500 errors and anomalous POST requests to /ecp/ or /owa/ matching CVE-2023-21529 patterns.
  2. SmarterMail Audit: If applicable, search for unauthorized file creation in the web root.
  3. MFA Gaps: Audit VPN and remote access logs for successful logins without MFA or from impossible travel contexts.

Critical Assets for Exfiltration: FULCRUMSEC historically prioritizes:

  • Customer PII databases (common in Healthcare/Business Services victims).
  • Intellectual Property (Technology sector).
  • Financial records and payment card data.

Containment Actions:

  1. Isolate systems identified as processing SmarterMail or Exchange requests immediately.
  2. Revoke credentials for accounts that have logged into VPN/Email from the geographic locations of recent known FULCRUMSEC victims (MX, IN, CO) if business justification is absent.
  3. Segment backups to prevent wipe-out via vssadmin.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical CVEs: Apply patches for CVE-2023-21529 (Exchange) and CVE-2025-52691 / CVE-2026-23760 (SmarterMail) immediately.
  • Disable Unnecessary Services: If SmarterMail or Exchange is not required to be internet-facing, move it behind a VPN immediately.
  • Audit Firewall Management: Ensure Cisco FMC (CVE-2026-20131) interfaces are not accessible from the public internet.

Short-term (2 Weeks)

  • Network Segmentation: Implement strict Zero Trust controls separating mail infrastructure from domain controllers and backup servers.
  • Web Application Firewall (WAF): Deploy signatures to block known exploit paths for Exchange and SmarterMail deserialization attacks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangfulcrumsecransomwareexchange-serversmartermailinitial-accesslateral-movement

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action