Skip to main content
Emerging ThreatsMalware & Ransomware

FortiBleed exposes link between ransomware gangs

Dimly lit server room with a single bright laptop screen displaying a login interface.

“Finding a single operator working both panels, using infrastructure traceable back to FortiBleed, is the clearest evidence yet that FortiGate credentials harvested through this campaign are being handed off, or used directly, for ransomware deployment,” SOC Radar said.

SOC Radar’s STRU mapped infrastructure and found an opsec failure

SOC Radar’s Threat Research Unit (STRU) spent weeks mapping FortiBleed’s infrastructure across hundreds of servers after the attack was disclosed. An operational security failure on one of those servers gave the team access to the initial access broker (IAB) group’s internal files and logs. STRU reports at least one member of a 20-person IAB group was logged into affiliate panels tied to both the INC Ransom and Lynx ransomware groups, and that at least one member was actively negotiating with victims.

How FortiBleed harvested credentials and what was done with them

Disclosed on June 17, FortiBleed did not exploit novel vulnerabilities. According to STRU’s reconstruction, the campaign intercepted SSL VPN authentication hashes, which were then cracked with a 45-GPU cluster hosted by Hashtopolis. Those credentials were used to access victims’ Active Directory environments and establish persistence.

SOC Radar noted Fortinet had introduced PBKDF2 for storing credentials in early 2025, but because the change only took effect after administrators logged back in, many organizations were likely still using SHA-256 with salt—an approach STRU says remained vulnerable to brute-forcing and therefore susceptible to the campaign’s cracking effort.

Operational links to INC Ransom and Lynx ransomware

STRU’s examinations tied the IAB group’s internal logs, compromised endpoints, and public claims on INC and Lynx leak sites to the same access infrastructure. The presence of a single operator logged into both ransomware affiliate panels is presented by STRU as direct evidence the harvested FortiGate credentials are not merely collected for resale, but are feeding into active ransomware deployments.

From STRU’s scans of 11,250 Fortinet portals, the team confirmed admin-level access on 409 targets. On 354 of those, attackers carried out the full attack chain—compromising VPNs, accessing domain controllers, and achieving domain admin privileges. STRU linked at least 12 ransomware attacks to FortiBleed victims so far.

Scale of targeting and the list of high-profile targets

Early reports cited in STRU’s work suggested a little more than 73,000 unique firewall URLs were successfully targeted; STRU notes more than 430,000 Fortinet firewalls were targeted overall. Those early reports included a long list of major organizations said to be compromised: FoxConn, Samsung, Comcast, Siemens, Lenovo, FedEx, PwC, Accenture, and Oracle. Investigators also flagged an unnamed Turkish NATO defense contractor after finding signs of classified files being copied.

What this means for FortiGate administrators, procurement leaders, and incident responders

  • FortiGate administrators: STRU’s conclusion that FortiBleed “is not just a credential exposure risk, it is a potential precursor to ransomware” raises the operational stakes for administrators managing FortiGate infrastructure. The linkage to ransomware affiliates means credential exposure can turn quickly into full network compromise.
  • Procurement and enterprise leaders at named organizations: the inclusion of major corporate names and a defense contractor in early reports places reputational and operational pressure on organizations to reconcile how exposed credentials were used after the campaign.
  • Incident responders and threat hunters: STRU’s ability to tie at least 12 ransomware incidents to FortiBleed highlights how an IAB’s internal logs and an opsec failure can provide the chains of evidence needed to map follow-on ransomware activity.

STRU’s work reframes FortiBleed from a mass credential-theft operation into a conduit directly connected to the ransomware economy: intercepted authentication data, cracked at scale, then handed to or used by operators who moved those credentials into affiliate panels tied to active ransomware brands. The immediate tally—hundreds of confirmed admin-level breaches and dozens of linked ransomware incidents—underscores a central fact the investigation produces in plain terms: access harvested from FortiGate infrastructure did not remain theoretical, it was operationalized.

Original reporting at The Register