Theregister
FortiBleed Campaign Links Two Ransomware Gangs: INC and Lynx
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The FortiBleed campaign has been linked to two ransomware groups, INC Ransom and Lynx, following an investigation by SOC Radar’s Threat Research Unit. Researchers discovered that a member of the initial access broker group was logged into both ransomware affiliate panels, indicating a direct connection between the credential theft and ransomware deployment. The campaign targeted over 430,000 Fortinet firewalls, with confirmed admin-level access on 409 targets. The attackers exploited SSL VPN authentication hashes, using a 45-GPU cluster to crack them and gain access to victims' Active Directory environments. This integration of credential theft into ransomware operations raises the threat level for organizations using FortiGate infrastructure. The attack was disclosed on June 17, 2026, and is characterized as a significant escalation in the ransomware economy.
Key Points: • FortiBleed campaign linked to INC and Lynx ransomware groups. • Over 430,000 firewalls targeted, with admin access confirmed on 409. • Attackers exploited SSL VPN authentication hashes using a 45-GPU cluster.