Ransomware Attack on The Fulcrum Group
Incident Date:
May 16, 2024
Overview
Title
Ransomware Attack on The Fulcrum Group
Victim
The Fulcrum Group
Attacker
Cactus
Location
First Reported
May 16, 2024
Ransomware Attack on The Fulcrum Group
Victim Overview
The Fulcrum Group, a Managed IT Services Provider based in the Dallas Fort Worth area, was targeted by a ransomware attack orchestrated by the cybercriminal group known as Cactus. The company operates in the Business Services sector, offering project management, business consulting, and professional development services. The Fulcrum Group stands out in its industry for its innovative services, including STAR Power, which aligns technology standards with clients' business goals. The company's revenue is reported to be that of $2.1M.
Attack Overview
The ransomware attack on The Fulcrum Group by the Cactus group involved the exfiltration of 57 GB of data, with a sample of the compromised data leaked. Specific details about the ransom demand were not provided, but the attack utilized ransomware as its method of compromise.
Ransomware Group - Cactus
The Cactus ransomware group, known for exploiting vulnerabilities and leveraging malvertising lures, operates as a ransomware-as-a-service (RaaS). The group distinguishes itself by employing unique encryption techniques to avoid detection, such as changing file extensions before and after encryption. Cactus ransomware has been observed targeting organizations of all sizes across various industries, demonstrating a sophisticated understanding of cyber threats.
Attack Vector
The ransomware group, Cactus, likely penetrated The Fulcrum Group's systems through vulnerabilities or misconfigurations that allowed for initial access. The group has been known to exploit vulnerabilities like ZeroLogon (CVE-2020-1472) to gain domain administrator access. Additionally, Cactus ransomware affiliates use custom scripts to disable security tools and distribute the ransomware, allowing them to move laterally in the environment and evade detection.
Sources:
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.