Back to Intelligence

FULCRUMSEC Ransomware: US-Centric Surge Exploiting Exchange & Firewall Vulnerabilities

SA
Security Arsenal Team
May 5, 2026
6 min read

Threat Actor Profile — FULCRUMSEC

Aliases & Model: FULCRUMSEC operates as a aggressive Ransomware-as-a-Service (RaaS) entity. While relatively new to the ecosystem compared to legacy cartels, their output volume suggests a mature affiliate network.

Tactics & Operations:

  • Ransom Demands: Highly variable, typically ranging from $500k for mid-market entities to multi-million dollar demands for large enterprise targets like Avnet or LexisNexis.
  • Initial Access: This campaign demonstrates a heavy reliance on internet-facing infrastructure exploitation. The group is actively exploiting known CVEs in Microsoft Exchange, Cisco Secure Firewall, and SmarterTools SmarterMail rather than relying solely on phishing or brute-force RDP.
  • Double Extortion: FULCRUMSEC strictly follows the double-extortion playbook, exfiltrating sensitive data (PII, IP, financial records) prior to encryption to leverage negotiation pressure.
  • Dwell Time: Analysis of recent postings suggests an average dwell time of 3–5 days between initial access and encryption, indicating a "smash-and-grab" or automated encryption approach once data staging is complete.

Current Campaign Analysis

Sector Targeting: The recent victim list indicates a pivot towards high-value data repositories.

  • Healthcare: Lena Health, Woundtech (Targeting patient data).
  • Technology: Avnet, ReFocus AI, Hatica, Nordstern Technologies (Targeting IP and proprietary code).
  • Business/Professional Services: LexisNexis, Saleskido, Interzero, Rotary Club (Targeting corporate PII and legal records).
  • Financial Services: MCO.

Geographic Concentration: The campaign is overwhelmingly US-centric, with 11 of the 15 listed victims (approx. 73%) based in the United States. Secondary targets include Mexico, India, Germany, and Colombia, suggesting a scanning strategy that prioritizes English-speaking regions and North American time zones.

Victim Profile:

  • Size: Mix of mid-market (Saleskido, ParkEngage) and large enterprise (Avnet, LexisNexis).
  • Revenue: Estimated revenues range from $10M to over $20B annually.

CVE Correlation & Initial Access Vectors: The inclusion of specific CVEs in the CISA KEV list associated with this group provides clear insight into their ingress vectors:

  1. CVE-2023-21529 (Microsoft Exchange): Deserialization vulnerability. This allows authenticated attackers to execute code, likely used after credential harvesting or via minor privilege escalation.
  2. CVE-2026-23760 / CVE-2025-52691 (SmarterTools SmarterMail): Auth bypass and unrestricted file upload. This is a critical vector for web shell deployment, likely used against the Technology and Business Services victims running mail servers.
  3. CVE-2026-20131 (Cisco Secure Firewall FMC): Deserialization vulnerability. This grants the threat actor the ability to bypass firewall controls or modify security policies, facilitating lateral movement and C2 traffic obfuscation.

Detection Engineering

SIGMA Rules

YAML
title: Suspicious Microsoft Exchange Deserialization Pattern (CVE-2023-21529)
id: 3f8b3f8b-3f8b-3f8b-3f8b-3f8b3f8b3f8b
description: Detects potential exploitation of Microsoft Exchange Server deserialization vulnerabilities via suspicious w3wp.exe process chains.
status: experimental
date: 2026/05/05
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\w3wp.exe'
        ParentProcessName|endswith: '\Microsoft.Exchange.Directory.AppPool\w3wp.exe'
    filter_legit:
        CommandLine|contains:
            - 'Microsoft.Exchange.Management'
            - 'MSExchangeHMWorker'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate Exchange management tasks
level: high
---
title: SmarterMail Webshell Upload Activity (CVE-2025-52691)
id: a1b2c3d4-a1b2-a1b2-a1b2-a1b2c3d4e5f6
description: Detects the creation of suspicious file extensions in the SmarterMail web root, indicative of an unrestricted file upload vulnerability exploit.
status: experimental
date: 2026/05/05
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    file_creation:
    TargetFilename|contains: '\Mails\'
    TargetFilename|endswith:
        - '.aspx'
        - '.ashx'
        - '.asmx'
    condition: selection
falsepositives:
    - Legitimate admin updates to SmarterMail
level: critical
---
title: PsExec Lateral Movement Indicator
id: e5f6g7h8-e5f6-e5f6-e5f6-e5f6g7h8i9j0
description: Detects the use of PsExec or similar tools for lateral movement, a common TTP for ransomware gangs prior to encryption.
status: experimental
date: 2026/05/05
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith:
            - '\psexec.exe'
            - '\psexec64.exe'
            - '\PAExec.exe'
        CommandLine|contains: '\\'
    condition: selection
falsepositives:
    - Legitimate administrative tasks
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for potential data staging (large file copy operations) and lateral movement
// associated with FULCRUMSEC playbook
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe", "robocopy.exe", "rclone.exe", "winscp.exe")
| where ProcessCommandLine has_any ("copy", "move", "sync", "compress") 
   or ProcessCommandLine has "/archive"
| summarize count(), arg_max(Timestamp, *) by DeviceName, AccountName, FileName
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

PowerShell - Rapid Response Script

PowerShell
<#
.SYNOPSIS
    FULCRUMSEC Response Script - Checks for suspicious scheduled tasks and recent mass file modifications.
.DESCRIPTION
    This script scans for tasks created in the last 7 days and identifies directories
    with rapid file encryption potential (mass modifications).
#>

Write-Host "[+] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) } | Select-Object TaskName, TaskPath, Date, Author

Write-Host "[+] Scanning for recently modified Volume Shadow Copies (potential tampering)..." -ForegroundColor Cyan
$vss = vssadmin list shadows | Select-String "Shadow Copy Volume"
Write-Output $vss

Write-Host "[+] Checking for common web shells in web roots (IIS)..." -ForegroundColor Cyan
$paths = @("C:\inetpub\wwwroot", "C:\Program Files\SmarterTools\SmarterMail\Mails")
foreach ($path in $paths) {
    if (Test-Path $path) {
        Write-Host "Scanning $path..."
        Get-ChildItem -Path $path -Recurse -Include *.aspx, *.ashx, *.asmx, *.php | Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-48) } | Select-Object FullName, LastWriteTime
    }
}

Incident Response Priorities

T-Minus Detection Checklist:

  1. Web Shell Hunt: Immediately scan IIS logs and SmarterMail directories for POST requests containing anomalous payloads or recent creation of .aspx/.ashx files.
  2. Exchange Auditing: Review Windows Security logs on Exchange servers for logons from unusual IPs or the execution of powershell.exe spawned by w3wp.exe.
  3. Firewall Configs: Audit Cisco FMC configurations for unauthorized rule changes or new user accounts (CVE-2026-20131).

Critical Assets at Risk:

  • Active Directory: FULCRUMSEC targets AD for credential dumping (DCSync).
  • Email Archives: Exfiltration of mailboxes is a priority for Business Services victims.
  • EMR/Patient Databases: High-value targets for Healthcare victims.

Containment Actions:

  1. Isolate: Disconnect infected Exchange/SmarterMail servers from the network immediately.
  2. Revoke: Reset credentials for all admin accounts that have accessed the compromised mail or firewall infrastructure in the last 30 days.
  3. Block: Block inbound and outbound traffic to known C2 infrastructure associated with FULCRUMSEC (check threat intel feeds for specific IPs).

Hardening Recommendations

Immediate (24 Hours):

  • Patch Critical CVEs: Apply patches for CVE-2023-21529 (Exchange), CVE-2026-23760, CVE-2025-52691 (SmarterMail), and CVE-2026-20131 (Cisco FMC) immediately.
  • Disable External RDP: Ensure RDP is not exposed to the internet and enforce MFA for all remote access.
  • URL Rewrite Rules: Implement IIS URL Rewrite rules to block common web shell upload patterns.

Short-term (2 Weeks):

  • Network Segmentation: Segregate backup servers from the main network to prevent backup encryption.
  • Zero Trust Architecture: Implement strict validation for all lateral movement attempts (e.g., require Privileged Access Workstations (PAWs) for server administration).
  • EDR Deployment: Ensure EDR agents are running on all mail gateway and perimeter devices.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangfulcrumsecransomwarecve-2023-21529cve-2026-23760healthcareinitial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action