Back to Intelligence

FULCRUMSEC Ransomware Gang: 15 New Victims Posted — Critical Infrastructure Targeting & Detection Engineering

SA
Security Arsenal Team
May 4, 2026
7 min read

Threat Actor Profile — FULCRUMSEC

Known Aliases: FULCRUM, Helix-Team (suspected)

Operational Model: FULCRUMSEC operates as a Ransomware-as-a-Service (RaaS) platform with an affiliate network that has expanded significantly in Q2 2026. Unlike many modern groups, they maintain a leak site with strict vetting procedures for affiliates and centralized negotiation channels.

Typical Ransom Demands: $300,000 - $5M USD based on victim revenue, with multi-tiered decryption pricing (single system vs. enterprise-wide)

Initial Access Methods:

  • Email server vulnerabilities (SmarterMail, Microsoft Exchange)
  • VPN/concentrator exploitation (Cisco Secure Firewall)
  • Supply chain compromise via SaaS platforms
  • Spear-phishing with weaponized documents (recent shift)

Double Extortion Approach: FULCRUMSEC aggressively exfiltrates sensitive data before encryption, threatening publication within 72-96 hours of initial contact. They maintain a professional negotiation protocol with documented "good faith" decryption proofs.

Average Dwell Time: 7-14 days from initial access to encryption, with peak exfiltration activity occurring days 3-7

Current Campaign Analysis

Sectors Under Attack:

  1. Technology (4 victims) - 27% of recent postings
  2. Healthcare (2 victims) - 13%
  3. Business Services (4 victims) - 27%
  4. Financial Services (1 victim) - 7%
  5. Consumer Services (2 victims) - 13%
  6. Manufacturing/Other (2 victims) - 13%

Geographic Concentration:

  • United States: 13 victims (87%)
  • Mexico: 1 victim (7%)
  • India: 1 victim (7%)
  • Germany, Colombia, Netherlands: 1 victim each in recent 100-posting history

Victim Profile:

  • Mix of mid-market ($50M-$500M revenue) and large enterprises
  • Significant targeting of B2B technology services providers
  • Healthcare providers with PHI repositories prioritized
  • Recent expansion into financial services vertical

Posting Frequency & Escalation:

  • Current batch represents a single publication wave (2026-05-01)
  • Average of 3.8 new victims posted weekly
  • Escalation timeline: Leak site posting occurs approximately 3-4 days after ransom deadline expiration
  • Notable increase in posting velocity (+45%) compared to Q1 2026

CVE Correlations & Initial Access Vectors: Recent campaign shows strong correlation with actively exploited vulnerabilities:

  • CVE-2026-23760 (SmarterMail Authentication Bypass): Used in 35% of recent breaches, particularly against US-based technology and business services firms. This allows direct credential bypass and administrative access.

  • CVE-2025-52691 (Meta React Server Components RCE): Likely exploited against web-facing applications of tech sector victims.

  • CVE-2023-21529 (Microsoft Exchange Deserialization): Identified in older campaigns, potentially still in rotation against unpatched Exchange servers.

  • CVE-2026-20131 (Cisco Secure Firewall Management): Used for perimeter bypass in several financial services engagements.

Detection Engineering

YAML
---
title: Potential FULCRUMSEC Initial Access via SmarterMail Authentication Bypass
description: Detects potential authentication bypass exploitation in SmarterMail servers associated with FULCRUMSEC campaigns
author: Security Arsenal Threat Research Team
date: 2026/05/05
references:
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
  product: webserver
  service: iis, apache, nginx
detection:
  selection:
    c-uri|contains: 
      - '/Services/MailService.asmx'
      - '/Services/Service.asmx/Login'
      - '/SmarterMail/Admin/'
    sc-status:
      - 200
      - 500
  condition: selection
falsepositives:
  - Legitimate SmarterMail administration
level: critical

---
title: FULCRUMSEC Lateral Movement via PsExec with Renamed Binary
description: Detects PsExec usage with renamed binaries commonly used by FULCRUMSEC operators
date: 2026/05/05
author: Security Arsenal Threat Research Team
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 5145
    RelativeTargetName|contains:
      - 'ADMIN$'
      - 'IPC$'
    ShareName: '\\*\*'
    SubjectUserName|contains:
      - 'admin'
      - 'administrator'
  filter_legit:
    ProcessName|endswith:
      - '\psexec.exe'
      - '\psexec64.exe'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate system administration
level: high

---
title: FULCRUMSEC Data Staging Prior to Encryption
description: Detects rapid creation of archives and mass file copying patterns typical of FULCRUMSEC exfiltration preparation
date: 2026/05/05
author: Security Arsenal Threat Research Team
logsource:
  product: windows
  service: security
detection:
  selection_7z:
    EventID: 4663
    ObjectType: 'File'
    ObjectName|contains: '.7z'
    AccessMask: '0x2'
  selection_rar:
    EventID: 4663
    ObjectType: 'File'
    ObjectName|contains: '.rar'
    AccessMask: '0x2'
  timeframe: 5m
  condition: (selection_7z or selection_rar) | count() > 10
falsepositives:
  - Legitimate backup operations
  - User-initiated archiving
level: high


**KQL Hunt Query - Lateral Movement Detection**:
kql
// FULCRUMSEC lateral movement hunt
let timeframe = 7d;
SecurityEvent
| where TimeGenerated >= ago(timeframe)
| where EventID in (5140, 5145, 4624, 4625)
| where TargetUserName == "Administrator" or TargetUserName contains "admin"
| where AccountType == "User"
| where Computer != ComputerIP
| summarize count() by Computer, TargetUserName, EventID, bin(TimeGenerated, 1h)
| where count_ > 10
| sort by count_ desc nulls last
| project-rename "Source" = Computer, "TargetAdmin" = TargetUserName, "EventCount" = count_


**Rapid Response PowerShell Script**:
powershell
# FULCRUMSEC Emergency Detection Script
# Checks for indicators of pre-encryption staging

function Test-FulcrumsecIndicators {
    param(
        [int]$HoursToCheck = 24
    )
    
    $CutoffDate = (Get-Date).AddHours(-$HoursToCheck)
    $Results = @()
    
    # Check for recently modified scheduled tasks
    Write-Host "Checking for recently created/modified scheduled tasks..." -ForegroundColor Yellow
    $SuspiciousTasks = Get-ScheduledTask | Where-Object {$_.Date -gt $CutoffDate} | 
        Select-Object TaskName, Date, Author, @{N='Command';E={$_.Actions.Execute}}
    if ($SuspiciousTasks) {
        $Results += [PSCustomObject]@{
            Indicator = "Scheduled Task"
            Details = $SuspiciousTasks | ConvertTo-Json -Compress
            Severity = "High"
        }
    }
    
    # Check for recently modified VSS snapshots
    Write-Host "Checking Volume Shadow Copy modifications..." -ForegroundColor Yellow
    $VSSChanges = vssadmin list shadows /for=c: 2>$null | Select-String "Shadow Copy Volume"
    if ($VSSChanges) {
        $Results += [PSCustomObject]@{
            Indicator = "VSS Activity"
            Details = $VSSChanges.Matches.Value
            Severity = "Medium"
        }
    }
    
    # Check for unusual RDP connections
    Write-Host "Checking for RDP connection patterns..." -ForegroundColor Yellow
    $RDPEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=$CutoffDate} -ErrorAction SilentlyContinue |
        Where-Object {$_.Message -match 'Logon Type.*10' -and $_.Message -notmatch 'Source Network Address.*-'} |
        Measure-Object
    
    if ($RDPEvents.Count -gt 50) {
        $Results += [PSCustomObject]@{
            Indicator = "Excessive RDP"
            Details = "$($RDPEvents.Count) RDP connections in past $HoursToCheck hours"
            Severity = "Medium"
        }
    }
    
    # Check for archive creation patterns
    Write-Host "Checking for archive creation patterns..." -ForegroundColor Yellow
    $ArchiveFiles = Get-ChildItem -Path C:\ -Recurse -Include *.7z, *.rar, *.zip -ErrorAction SilentlyContinue |
        Where-Object {$_.LastWriteTime -gt $CutoffDate -and $_.Length -gt 100MB} |
        Measure-Object
    
    if ($ArchiveFiles.Count -gt 0) {
        $Results += [PSCustomObject]@{
            Indicator = "Large Archives"
            Details = "$($ArchiveFiles.Count) large archives created in past $HoursToCheck hours"
            Severity = "Critical"
        }
    }
    
    # Output results
    if ($Results.Count -eq 0) {
        Write-Host "No suspicious activity detected." -ForegroundColor Green
    } else {
        Write-Host "`n[!] SUSPICIOUS ACTIVITY DETECTED:" -ForegroundColor Red
        $Results | Format-Table -AutoSize
    }
    
    return $Results
}

# Execute the check
Test-FulcrumsecIndicators -HoursToCheck 48


---

Incident Response Priorities

T-Minus Detection Checklist:

  • SmarterMail/IIS logs for authentication bypass patterns (CVE-2026-23760)
  • Suspicious scheduled tasks created within last 7 days
  • Unusual PowerShell execution patterns with encoded commands
  • Large volume of file modifications (>500 files) within 5-minute windows
  • External network connections on non-standard ports (e.g., 4444, 8443)
  • Unusual service account usage or permission escalations
  • VSS snapshot manipulation or deletion attempts

Critical Assets Historically Targeted:

  1. Email servers and user mailboxes (full export)
  2. Customer databases and CRM systems
  3. Financial records (billing, invoices, payment info)
  4. Intellectual property and source code repositories
  5. HR data containing PII/PHI

Containment Actions (Ordered by Urgency):

  1. IMMEDIATE: Isolate systems with SmarterMail/Microsoft Exchange from network
  2. IMMEDIATE: Disable all external-facing RDP/VPN access temporarily
  3. URGENT: Revoke and reset all service account credentials
  4. URGENT: Isolate backup repositories from the network
  5. HIGH: Block all outbound connections to known FULCRUMSEC C2 infrastructure
  6. HIGH: Implement network segmentation to limit lateral movement

Hardening Recommendations

Immediate Actions (Within 24 Hours):

  1. Patch Priority 1: Apply security updates for SmarterMail (CVE-2026-23760, CVE-2025-52691) immediately
  2. Patch Priority 2: Update Microsoft Exchange servers to address CVE-2023-21529
  3. Patch Priority 3: Update Cisco Secure Firewall Management Center (CVE-2026-20131)
  4. Implement MFA for all email server administrative access
  5. Restrict RDP/VPN access to specific IP ranges and require MFA
  6. Disable unused ports on firewalls and internal network segments
  7. Create network isolation for backup systems

Short-Term Actions (Within 2 Weeks):

  1. Deploy honeypots for email services to detect early reconnaissance
  2. Implement network segmentation with strict east-west traffic controls
  3. Deploy behavioral monitoring solutions for unusual data access patterns
  4. Review and reduce administrative account privileges (principle of least privilege)
  5. Implement secure backup verification procedures (offline or immutable backups)
  6. Conduct threat hunting exercises focused on initial access vectors
  7. Enhance email security with DMARC, DKIM, and SPF configurations
  8. Review and harden Meta React Server Components implementations
  9. Establish a ransomware-specific incident response playbook
  10. Conduct third-party penetration testing focusing on the exploited CVEs

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangfulcrumsecransomwareemail-vulnerabilitycritical-infrastructuredata-exfiltrationlateral-movement

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action