FortiBleed Campaign Linked to Inc and Lynx Ransomware Operations
What happened
New research from SOCRadar has uncovered a direct connection between the threat actors behind the FortiBleed campaign and the Inc Ransom and Lynx ransomware groups, raising concerns that compromised organizations could now face ransomware attacks in addition to credential theft.
The FortiBleed campaign was first identified after security consultant Volodymyr “Bob” Diachenko discovered attacks targeting vulnerable Fortinet FortiGate firewalls. SOCRadar later determined that the campaign had compromised thousands of devices by installing a Golang-based sniffer that turned firewalls into credential-stealing tools.
In its latest findings, SOCRadar says it discovered evidence that an operator associated with the FortiBleed infrastructure was actively logged into the ransom negotiation panels of both Inc Ransom and Lynx. Researchers also uncovered internal files showing victim tracking, compromised credentials, network access, and ransomware deployment status.
According to SOCRadar, attackers achieved administrator-level access on 409 organizations. In 354 of those cases, they successfully completed the attack chain, including VPN compromise, domain controller access, and domain administrator privileges. Researchers confirmed at least 12 ransomware deployments that resulted in hundreds of encrypted endpoints.
SOCRadar Chief Information Security Officer Ensar Seker said the company believes the FortiBleed operators function as an initial access broker, supplying compromised environments to ransomware groups rather than conducting the ransomware attacks themselves.
The report also revealed that the group may be exploiting an undisclosed zero-day vulnerability affecting Nextcloud to expand access to additional targets. Nextcloud said it has not yet received a vulnerability report but would investigate and address any confirmed issues.
Who is affected
The campaign initially scanned approximately 430,000 FortiGate firewalls worldwide. SOCRadar estimates that around 12,000 devices remain infected with the credential-stealing malware, while earlier research suggested the attackers had harvested credentials from more than 30,000 devices.
Organizations using exposed or unpatched FortiGate firewalls are at the highest risk. Victims may already have compromised administrator credentials, creating opportunities for lateral movement, data theft, extortion, and ransomware deployment.
Why CISOs should care
The latest findings suggest that compromised firewall credentials are no longer simply an espionage or credential theft issue. They may serve as the first stage of a ransomware attack.
The involvement of an initial access broker demonstrates how specialized cybercriminal groups increasingly work together. One group gains access, while another monetizes that access through ransomware or extortion. This division of labor can shorten the time between initial compromise and business disruption.
The reported use of a possible Nextcloud zero-day also highlights that attackers continue to expand their access methods beyond a single technology platform.
3 practical actions
Immediately audit all FortiGate firewalls for signs of compromise, apply the latest security updates, and rotate administrator credentials if exposure is suspected.
Review VPN, domain controller, and privileged account activity for evidence of unauthorized access or lateral movement originating from firewall infrastructure.
Strengthen monitoring of internet-facing systems, including Nextcloud deployments, and prepare incident response teams for potential ransomware activity following credential theft.

