Overview
The threat actors behind the FortiBleed campaign — who previously compromised thousands of Fortinet firewall appliances through unpatched vulnerabilities — are now actively monetizing their foothold by collaborating with two ransomware operations: Inc Ransom and Lynx Ransomware. The pivot from access brokerage to direct ransomware deployment marks a significant escalation, and researchers have also observed the group layering an additional Nextcloud zero-day on top of their existing network presence.
Background: The FortiBleed Campaign
The FortiBleed actors gained notoriety by mass-exploiting critical vulnerabilities in Fortinet's FortiOS and FortiGate product lines, establishing persistent backdoor access across thousands of enterprise and government networks worldwide. Rather than immediately deploying ransomware, the group accumulated access over months — building a vast inventory of compromised network entry points and selling or leasing that access to other threat actors.
Now, the operators are shifting strategy: instead of simply brokering access, they are directly partnering with ransomware gangs to share revenue from encryption and extortion operations.
Ransomware Partnerships
Inc Ransom
Inc Ransom is a prolific ransomware group that emerged in mid-2023 and has claimed attacks against healthcare, education, and industrial organizations globally. The group employs double-extortion tactics — encrypting files while also exfiltrating data — and maintains a leak site where victim data is published if ransoms go unpaid.
Lynx Ransomware
Lynx is a newer ransomware operation that surfaced in 2024, believed by researchers to be a rebrand or offshoot of the INC Ransom group. Lynx has targeted organizations across manufacturing, retail, and professional services, and is known for relatively rapid deployment timelines following initial access.
The collaboration with FortiBleed actors gives both groups a reliable, pre-established entry point into high-value networks — bypassing the need to separately acquire initial access.
Nextcloud Zero-Day Layering
In a notable tactical expansion, the FortiBleed actors have been observed exploiting a zero-day vulnerability in Nextcloud — an open-source file sync and collaboration platform widely deployed in enterprise and government environments — alongside their existing Fortinet footholds.
The Nextcloud zero-day provides the group with:
- Lateral movement to file servers and collaboration infrastructure
- Data exfiltration opportunities (Nextcloud often stores sensitive documents, credentials, and business data)
- Additional persistence beyond the initial firewall compromise
Details of the specific Nextcloud zero-day are being withheld by researchers pending vendor notification and patch availability.
Why This Escalation Matters
| Factor | Impact |
|---|---|
| Established firewall access | Thousands of potential victims already in inventory |
| Ransomware partnership model | Faster monetization at scale |
| Nextcloud zero-day addition | Deeper network penetration, higher ransom leverage |
| Inc + Lynx collaboration | Multiple ransomware brands = broader targeting |
The shift from access broker to active ransomware participant significantly increases the threat posed by FortiBleed actors. Organizations that believed they had dodged the initial FortiBleed campaign may now find themselves targeted as the group activates dormant access.
Indicators of Compromise
Organizations should investigate for the following:
- Unauthorized FortiGate configuration changes — especially new admin accounts, VPN profiles, or firewall rules added after initial FortiBleed patches
- Unusual Nextcloud activity — unexpected API calls, bulk downloads, or new administrator accounts
- Inc Ransom or Lynx-linked binaries — check EDR telemetry for known ransomware hashes associated with both groups
- Beacon traffic — periodic outbound connections to threat actor C2 infrastructure from firewall management interfaces
Immediate Recommendations
- Audit FortiGate for persistence — even if you patched FortiBleed vulnerabilities, check for backdoor accounts, rogue certificates, or unauthorized configuration changes that may have been planted before patching
- Update Nextcloud immediately — apply all available patches and monitor Nextcloud logs for anomalous access
- Assume breach posture — if your Fortinet appliances were unpatched during the FortiBleed campaign window, treat your environment as potentially compromised and perform a thorough incident response investigation
- Threat hunt proactively — search for Inc Ransom and Lynx TTPs in your environment using published threat intelligence
- Isolate vulnerable systems — segment Nextcloud servers and limit access while awaiting patches
- Engage threat intelligence feeds — subscribe to updated IoC feeds for FortiBleed, Inc Ransom, and Lynx to detect active campaigning
References
- Dark Reading — FortiBleed Actors Collaborating With Inc, Lynx Ransomware Gangs
- Published: 2026-07-02