Overview
The FortiBleed campaign has evolved from a credential‑harvesting operation into a ransomware‑linked intrusion chain, connecting stolen Fortinet FortiGate VPN credentials directly to INC Ransom and Lynx Ransomware deployments. According to SOCRadar, this marks the first verified case where mass FortiGate credential theft has been operationalized for ransomware attacks.

How FortiBleed Works
The campaign systematically scans the internet for exposed Fortinet devices, using known credential combinations to gain access. Once inside, attackers deploy a custom Golang packet sniffer to harvest authentication data from network traffic.
Key findings from SOCRadar’s report:
- 11,250 FortiGate portals scanned across 150+ countries.
- 409 admin‑level accesses confirmed.
- 354 successful attack chains completed.
- 12 ransomware deployments resulting in hundreds of encrypted endpoints.
The operation targeted 430,000 FortiGate firewalls globally, collecting over 110 million credentials.
Linking to INC and Lynx Ransomware
SOCRadar discovered that an operator with access to FortiBleed infrastructure was logged into both INC Ransom and Lynx negotiation panels, with victim lists overlapping between campaign data and ransomware records.
This connection was established through one of 200 newly identified servers associated with FortiBleed, which contained internal files, logs, and documentation linking credential theft to ransomware deployment.
The operator appears to be a Russian‑speaking threat actor acting as an initial access broker, selling compromised credentials to ransomware groups.
Organizational Structure and Scope
SOCRadar’s analysis revealed an organized operation of around 20 individuals, divided into roles:
- Lead operators conduct high‑impact intrusions.
- Specialists and support staff manage tooling and data collection.
- Infrastructure teams maintain servers and credential repositories.
Targeted industries include:
- Manufacturing
- Technology
- Logistics Primarily in Latin America and the Asia‑Pacific region.
Additional Threat Activity
Parallel to FortiBleed, eSentire reported exploitation of a Fortinet FortiClient EMS flaw (CVE‑2026‑35616, CVSS 9.1) to deploy the EKZ Stealer information stealer. This malware harvests credentials from Chromium‑based browsers and Firefox, exfiltrating them via PowerShell scripts.
The presence of a Nextcloud zero‑day within FortiBleed’s toolset further suggests a multi‑vector strategy for credential harvesting and network penetration.
Defensive Recommendations
Organizations using Fortinet products should act immediately:
- Patch FortiGate and FortiClient devices to close known vulnerabilities.
- Rotate VPN and admin credentials and enforce multi‑factor authentication.
- Monitor network traffic for unusual packet sniffer signatures.
- Audit Fortinet logs for unauthorized connections or credential reuse.
- Segment critical systems to reduce ransomware impact.
Expert in the Cloud Insight
FortiBleed demonstrates how credential theft has become the new currency of ransomware operations. By linking stolen FortiGate credentials to INC and Lynx deployments, attackers are turning network access into instant profit.
For security leaders, the lesson is clear: VPN credentials are now ransomware entry points. Continuous exposure management, credential rotation, and real‑time threat intelligence are essential to stay ahead of these hybrid campaigns.
Leave a Reply