Ransomware Attack on The Fulcrum Group

Victim Overview

The Fulcrum Group, a Managed IT Services Provider based in the Dallas Fort Worth area, was targeted by a ransomware attack orchestrated by the cybercriminal group known as Cactus. The company operates in the Business Services sector, offering project management, business consulting, and professional development services. The Fulcrum Group stands out in its industry for its innovative services, including STAR Power, which aligns technology standards with clients' business goals. The company's revenue is reported to be that of $2.1M.

Attack Overview

The ransomware attack on The Fulcrum Group by the Cactus group involved the exfiltration of 57 GB of data, with a sample of the compromised data leaked. Specific details about the ransom demand were not provided, but the attack utilized ransomware as its method of compromise.

Ransomware Group - Cactus

The Cactus ransomware group, known for exploiting vulnerabilities and leveraging malvertising lures, operates as a ransomware-as-a-service (RaaS). The group distinguishes itself by employing unique encryption techniques to avoid detection, such as changing file extensions before and after encryption. Cactus ransomware has been observed targeting organizations of all sizes across various industries, demonstrating a sophisticated understanding of cyber threats.

Attack Vector

The ransomware group, Cactus, likely penetrated The Fulcrum Group's systems through vulnerabilities or misconfigurations that allowed for initial access. The group has been known to exploit vulnerabilities like ZeroLogon (CVE-2020-1472) to gain domain administrator access. Additionally, Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, allowing them to move laterally in the environment and evade detection.

Sources:

• The Fulcrum Group Website
• StoneFly - Cactus Ransomware
• SocRadar - Cactus Ransomware
• Talos Intelligence - Ransomware Threats