FortiBleed's Credential Theft Linked to Ransomware Gangs

Researchers reveal FortiBleed's connections to ransomware groups, posing greater risks for affected organizations.

ThreatVectr Newsdesk· 2 min read
A digital representation of a firewall with a menacing shadow of a lock looming over it, symbolizing the threat of ransomware
Share

Key points

  • SOCRadar connects FortiBleed with ransomware groups Inc Ransom and Lynx as of July 2026.
  • The campaign targeted 430,000 FortiGate devices globally, compromising 12,000 firewalls.
  • SOCRadar found 409 targets with admin-level access from the FortiBleed attack.

Cybersecurity researchers have uncovered that the FortiBleed campaign, initially known for stealing login details, is now working alongside ransomware groups. This development increases the danger for the thousands of organizations already hit by FortiBleed. SOCRadar, a cybersecurity firm, connected FortiBleed to two notorious ransomware groups, Inc Ransom and Lynx, after finding shared infrastructure used in ransom demands.

The hackers behind FortiBleed initially broke into Fortinet FortiGate firewalls, devices meant to protect networks from online threats. They used a tool written in a programming language called Golang to turn these firewalls into tools that steal login information. Although the campaign targeted 430,000 devices worldwide, the hackers managed to plant their tool on about 12,000 of these firewalls.

How did the hackers get in?

The FortiBleed attackers exploited weaknesses in Fortinet FortiGate firewalls to gain initial access. Once inside, they stole login credentials, letting them break further into the networks. The SOCRadar team uncovered detailed logs showing how the hackers moved through the networks and even discovered that some of these networks later faced ransomware attacks.

SOCRadar's research revealed that these attackers achieved high-level access on 409 targets and completed a full attack process on 354 of them. This process included breaking into secure areas like the domain controller, which manages access to multiple users and computers.

Interestingly, the research also hinted at another potential security flaw, unrelated to FortiGate, involving a software called Nextcloud. This flaw, known as a zero-day because it was previously unknown, was reportedly being used to further expand the hackers' access.

SOCRadar emphasized that, while they haven't seen widespread ransomware attacks directly linked to FortiBleed yet, the access pathways created by it are ripe for exploitation. It suggests that the hackers behind FortiBleed are likely selling access to these compromised networks to other criminal groups.

As these developments unfold, organizations using FortiGate firewalls should be on high alert for any unusual activity and consider reviewing their security protocols to prevent potential breaches and ransomware attacks.

© 2026 Threat Vectr