Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. FortiBleed Actors Collaborating With Inc, Lynx Ransomware Gangs
FortiBleed Actors Collaborating With Inc, Lynx Ransomware Gangs
NEWS

FortiBleed Actors Collaborating With Inc, Lynx Ransomware Gangs

Threat actors who exploited the FortiBleed vulnerability to gain persistent access to thousands of Fortinet firewalls are now monetizing that access by...

Dylan H.

News Desk

July 2, 2026
4 min read

Overview

The threat actors behind the FortiBleed campaign — who previously compromised thousands of Fortinet firewall appliances through unpatched vulnerabilities — are now actively monetizing their foothold by collaborating with two ransomware operations: Inc Ransom and Lynx Ransomware. The pivot from access brokerage to direct ransomware deployment marks a significant escalation, and researchers have also observed the group layering an additional Nextcloud zero-day on top of their existing network presence.

Background: The FortiBleed Campaign

The FortiBleed actors gained notoriety by mass-exploiting critical vulnerabilities in Fortinet's FortiOS and FortiGate product lines, establishing persistent backdoor access across thousands of enterprise and government networks worldwide. Rather than immediately deploying ransomware, the group accumulated access over months — building a vast inventory of compromised network entry points and selling or leasing that access to other threat actors.

Now, the operators are shifting strategy: instead of simply brokering access, they are directly partnering with ransomware gangs to share revenue from encryption and extortion operations.

Ransomware Partnerships

Inc Ransom

Inc Ransom is a prolific ransomware group that emerged in mid-2023 and has claimed attacks against healthcare, education, and industrial organizations globally. The group employs double-extortion tactics — encrypting files while also exfiltrating data — and maintains a leak site where victim data is published if ransoms go unpaid.

Lynx Ransomware

Lynx is a newer ransomware operation that surfaced in 2024, believed by researchers to be a rebrand or offshoot of the INC Ransom group. Lynx has targeted organizations across manufacturing, retail, and professional services, and is known for relatively rapid deployment timelines following initial access.

The collaboration with FortiBleed actors gives both groups a reliable, pre-established entry point into high-value networks — bypassing the need to separately acquire initial access.

Nextcloud Zero-Day Layering

In a notable tactical expansion, the FortiBleed actors have been observed exploiting a zero-day vulnerability in Nextcloud — an open-source file sync and collaboration platform widely deployed in enterprise and government environments — alongside their existing Fortinet footholds.

The Nextcloud zero-day provides the group with:

  • Lateral movement to file servers and collaboration infrastructure
  • Data exfiltration opportunities (Nextcloud often stores sensitive documents, credentials, and business data)
  • Additional persistence beyond the initial firewall compromise

Details of the specific Nextcloud zero-day are being withheld by researchers pending vendor notification and patch availability.

Why This Escalation Matters

FactorImpact
Established firewall accessThousands of potential victims already in inventory
Ransomware partnership modelFaster monetization at scale
Nextcloud zero-day additionDeeper network penetration, higher ransom leverage
Inc + Lynx collaborationMultiple ransomware brands = broader targeting

The shift from access broker to active ransomware participant significantly increases the threat posed by FortiBleed actors. Organizations that believed they had dodged the initial FortiBleed campaign may now find themselves targeted as the group activates dormant access.

Indicators of Compromise

Organizations should investigate for the following:

  • Unauthorized FortiGate configuration changes — especially new admin accounts, VPN profiles, or firewall rules added after initial FortiBleed patches
  • Unusual Nextcloud activity — unexpected API calls, bulk downloads, or new administrator accounts
  • Inc Ransom or Lynx-linked binaries — check EDR telemetry for known ransomware hashes associated with both groups
  • Beacon traffic — periodic outbound connections to threat actor C2 infrastructure from firewall management interfaces

Immediate Recommendations

  1. Audit FortiGate for persistence — even if you patched FortiBleed vulnerabilities, check for backdoor accounts, rogue certificates, or unauthorized configuration changes that may have been planted before patching
  2. Update Nextcloud immediately — apply all available patches and monitor Nextcloud logs for anomalous access
  3. Assume breach posture — if your Fortinet appliances were unpatched during the FortiBleed campaign window, treat your environment as potentially compromised and perform a thorough incident response investigation
  4. Threat hunt proactively — search for Inc Ransom and Lynx TTPs in your environment using published threat intelligence
  5. Isolate vulnerable systems — segment Nextcloud servers and limit access while awaiting patches
  6. Engage threat intelligence feeds — subscribe to updated IoC feeds for FortiBleed, Inc Ransom, and Lynx to detect active campaigning

References

  • Dark Reading — FortiBleed Actors Collaborating With Inc, Lynx Ransomware Gangs
  • Published: 2026-07-02
#Ransomware#Zero-Day#Fortinet#Cloud Security#Threat Intelligence

Related Articles

Storm-1175 Deploys Medusa Ransomware at 'High Velocity'

Microsoft says the financially motivated cybercrime group Storm-1175, linked to China, has exploited N-day and zero-day vulnerabilities in high-velocity...

6 min read

Microsoft Links Storm-1175 to Medusa Ransomware Zero-Day

Microsoft has formally attributed Medusa ransomware zero-day attacks to Storm-1175, a China-based financially motivated cybercriminal group that has...

4 min read

Interlock Ransomware Has Been Exploiting Cisco FMC Zero-Day

The Interlock ransomware gang has been actively exploiting a CVSS 10.0 insecure deserialization flaw in Cisco Secure Firewall Management Center since late...

7 min read
Back to all News