www.securityweek.com 7/2/2026, 1:01:31 PM · external

FortiBleed Exploits FortiGate, Triggers Worldwide Ransomware Wave

FortiBleed Exploits FortiGate, Triggers Worldwide Ransomware Wave
Developing story campaign 2 articles tracked
FortiBleed credential harvesting campaign fuels ransomware attacks
CyberSIXT Evidence Panel
Primary Source socradar.io

THE FortiBleed operation is a credential-harvesting campaign targeting over 430,000 FortiGate firewalls in 150 countries, leading to the deployment of INC Ransom and Lynx ransomware families. Discovered in June, it has reportedly compromised over 110 million credentials since February, with attackers gaining administrative access to 409 targets and completing full attack chains on 354. Notably, ransomware deployment has occurred in 12 cases affecting hundreds of endpoints.

SOCRadar observed an operator linked to both ransomware panels, indicating a connection between stolen FortiGate credentials and ransomware activities. The operation involves about 20 individuals focusing on high-impact intrusions and technical support, showcasing the intertwined nature of credential theft and ransomware operations.

View Primary Source Via www.securityweek.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline