
FORTIBLEED, a credential‑harvesting campaign aimed at FortiGate firewalls, has sparked a worldwide surge of INC Ransom and Lynx infections according to SecurityWeek. The operation has already affected organisations across dozens of sectors and regions.
Research from SOCRadar’s Threat Research Unit shows that more than 430 000 devices in 150 countries have had credentials exposed, with attackers using a tool named FortigateSniffer to sniff authentication traffic without delivering any malicious payload SOCRadar. The sniffing method allows threat actors to harvest usernames and passwords in stealth.
The campaign has yielded administrative access on 409 firewalls and full domain compromise on 354, leading to at least a dozen ransomware deployments that have impacted hundreds of endpoints SecurityAffairs. These figures illustrate how credential theft can be directly turned into destructive ransomware activity.
Researchers observed that a single operator was seen managing both the INC Ransom and Lynx panels, linking the stolen FortiGate credentials to the ransomware operations. INC Ransom has been active since mid‑2023 while Lynx appears as a later evolution of the same threat.
Defenders should immediately review FortiGate configurations, enforce multi‑factor authentication for all administrative accounts, and monitor VPN and SSL‑VPN logs for unusual authentication patterns. Restricting management interfaces to trusted networks and disabling unused services can further limit exposure.
Administrators are advised to apply the latest Fortinet firmware promptly, consider certificate‑based authentication for remote access, and segment critical assets to prevent lateral movement after a credential breach. These steps help reduce the risk of further compromise and ransomware deployment.