securityaffairs.com 7/2/2026, 11:11:42 AM · external

FortiBleed Campaign Fuels Ransomware on 430k FortiGate Devices

FortiBleed Campaign Fuels Ransomware on 430k FortiGate Devices
Developing story campaign 2 articles tracked
FortiBleed credential harvesting campaign fuels ransomware attacks
CyberSIXT Evidence Panel
Primary Source socradar.io
Threat Actor
INC Ransom

SOCRADAR'S Threat Research Unit has linked the FortiBleed campaign, which has compromised credentials from over 430,000 FortiGate firewalls globally, to active ransomware operations: INC Ransom and Lynx. Utilizing a tool called FortigateSniffer, attackers intercepted authentication traffic without sending malicious payloads. The campaign has confirmed admin-level access on 409 targets and full domain compromises on 354, leading to at least 12 ransomware deployments.

A significant operational security oversight revealed internal documents connecting the attackers to both ransomware groups. INC Ransom, active since mid-2023, claims numerous breaches, with Lynx emerging later as an evolution of INC. The report emphasizes that organizations using FortiGate devices face immediate risks of ransomware, urging them to assess their exposure.

View Primary Source Via securityaffairs.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline