Defenders need to be on high alert. SOCRadar’s Threat Research Unit has confirmed a direct link between the large-scale FortiBleed campaign and two active encryption-based operations: INC Ransom and Lynx. This is not theoretical; this is an active exploitation campaign impacting over 430,000 FortiGate firewalls globally.
The attack chain is aggressive: credentials are harvested from vulnerable devices, leading directly to domain compromise and rapid ransomware deployment. If you manage FortiGate infrastructure, assume exposure and verify credentials immediately. The bridge between network perimeter failure and enterprise-wide encryption has been crossed.
Technical Analysis
Threat Overview:
- Campaign Name: FortiBleed
- Affected Products: FortiGate Firewalls
- Scale: 430,000+ devices exposed worldwide
- Linked Threat Actors: INC Ransom, Lynx
- Objective: Credential harvesting → Domain Compromise → Encryption (Ransomware)
Attack Mechanics: The FortiBleed campaign focuses on harvesting credentials from FortiGate appliances. While the underlying vulnerability allows for unauthorized access, the immediate risk to defenders is the theft of administrative credentials. Once obtained, these credentials are not just used for perimeter persistence; they are utilized to pivot internally, compromise domain controllers, and deploy ransomware payloads (specifically INC Ransom and Lynx variants).
Exploitation Status:
- Confirmed Active Exploitation: Yes. The link to INC Ransom and Lynx operations is described as "not circumstantial," with specific operator activity connecting the harvested credentials to encryption events.
Detection & Response
Sigma Rules
The following Sigma rules focus on detecting the precursors to the ransomware activity—specifically the suspicious command-line execution often associated with INC Ransom and Lynx post-exploitation, and the anomaly of administrative access on the firewall which indicates credential use.
---
title: Potential INC Ransom or Lynx Ransomware Process Activity
id: 8a4b2c1d-9e6f-4a3b-8c2d-1e4f5a6b7c8d
status: experimental
description: Detects suspicious process execution patterns often associated with INC Ransom and Lynx operations, including usage of tools for mass file encryption and system disabling.
references:
- https://securityaffairs.com/194645/security/430000-fortigate-devices-exposed-in-fortibleed-ransomware-link.html
author: Security Arsenal
date: 2026/04/06
tags:
- attack.impact
- attack.t1486
logsource:
category: process_creation
product: windows
detection:
selection_main:
Image|endswith:
- '\rundll32.exe'
- '\powershell.exe'
- '\cmd.exe'
selection_cli:
CommandLine|contains:
- ' -enc '
- 'vssadmin delete shadows'
- 'wbadmin delete catalog'
- 'bcdedit /set'
condition: all of selection_*
falsepositives:
- Legitimate system administration scripts
level: high
---
title: FortiGate Administrative Login Anomaly
id: 9c5d3e2f-1a7b-4c8d-9e0f-2a3b4c5d6e7f
status: experimental
description: Detects successful administrative logins to FortiGate devices which may indicate the use of credentials harvested by the FortiBleed campaign.
references:
- https://securityaffairs.com/194645/security/430000-fortigate-devices-exposed-in-fortibleed-ransomware-link.html
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1078
logsource:
category: firewall
product: fortinet
detection:
selection:
action: 'admin-login'
result: 'success'
filter:
src_ip|startswith:
- '10.'
- '192.168.'
- '172.16.'
condition: selection and not filter
falsepositives:
- Legitimate remote administration from trusted external IPs
level: medium
KQL (Microsoft Sentinel)
This hunt queries Syslog or CommonSecurityLog data for FortiGate administrative logins, correlating them with subsequent suspicious process activity on internal endpoints (indicating lateral movement).
// Hunt for FortiGate Admin Logins followed by suspicious internal activity
let FortiLogins =
Syslog
| where Facility contains "fortinet" or SyslogMessage contains "action=admin-login"
| parse SyslogMessage with * "user=" User " " * "srcip=" SrcIP " " * "result=" Result
| where Result == "success"
| project TimeGenerated, User, SrcIP, Message;
// Correlate with endpoint suspicious processes (assuming DeviceProcessEvents or SecurityEvent data)
let SuspiciousProcesses =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has "vssadmin delete shadows"
or ProcessCommandLine has "wbadmin delete catalog"
or ProcessCommandLine has " -enc "
| project Timestamp, DeviceName, AccountName, ProcessCommandLine;
// Join to see if admin IPs are seen interacting with endpoints or if temporal proximity suggests rapid movement
FortiLogins
| join kind=inner SuspiciousProcesses on $left.TimeGenerated <= $right.Timestamp + time(1hour)
| project TimeGenerated, User, SrcIP, DeviceName, AccountName, ProcessCommandLine
| distinct TimeGenerated, User, SrcIP, DeviceName, ProcessCommandLine
Velociraptor VQL
This artifact hunts for the specific file system artifacts and process execution on Windows endpoints typically left behind by INC Ransom and Lynx.
-- Hunt for ransomware indicators on endpoints
SELECT
Pid,
Name,
CommandLine,
Exe,
Username,
CreateTime
FROM pslist()
WHERE Name IN ('rundll32.exe', 'powershell.exe', 'cmd.exe')
AND (
CommandLine =~ 'vssadmin delete shadows' OR
CommandLine =~ 'wbadmin delete catalog' OR
CommandLine =~ ' -enc '
)
-- Hunt for ransomware notes or encrypted files
SELECT FullPath, Size, Mtime
FROM glob(globs="C:\\*\\*.{inc,locked,lynx}")
WHERE Mtime > now() - 24h
Remediation Script (PowerShell)
Use this script on Windows endpoints to check for signs of the ransomware activity (encryption/shadow copy deletion) described in the FortiBleed campaign analysis. This aids in identifying which hosts may be actively compromised by the INC Ransom or Lynx operators using stolen credentials.
<#
.SYNOPSIS
Checks for Indicators of Compromise (IoC) related to INC Ransom/Lynx post-exploitation.
.DESCRIPTION
This script scans event logs and running processes for evidence of shadow copy deletion,
backup catalog destruction, and suspicious PowerShell execution often observed in
encryption-based attacks stemming from the FortiBleed campaign.
#>
Write-Host "[+] Starting hunt for INC Ransom/Lynx IoCs..." -ForegroundColor Cyan
# Check for Shadow Copy Deletion Events (VSSAdmin 1)
$vssEvents = Get-WinEvent -LogName Application -FilterXPath "*[System[(EventID=1)]] and *[Data[@Name='SourceName']='VSSAdmin']" -ErrorAction SilentlyContinue
if ($vssEvents) {
Write-Host "[!] ALERT: VSSAdmin Shadow Copy Deletion detected." -ForegroundColor Red
$vssEvents | Select-Object TimeCreated, Message | Format-List
} else {
Write-Host "[-] No VSSAdmin deletion events found." -ForegroundColor Green
}
# Check for Backup Catalog Deletion (wbadmin)
$wbadminFilter = @{LogName='Application'; ProviderName='wbadmin'}
$wbadminEvents = Get-WinEvent -FilterHashtable $wbadminFilter -ErrorAction SilentlyContinue | Where-Object { $_.Message -like '*delete*' }
if ($wbadminEvents) {
Write-Host "[!] ALERT: WBAdmin catalog deletion detected." -ForegroundColor Red
$wbadminEvents | Select-Object TimeCreated, Message | Format-List
} else {
Write-Host "[-] No WBAdmin deletion events found." -ForegroundColor Green
}
# Check for Suspicious PowerShell Encoded Commands
$processList = Get-Process -IncludeUserName | Where-Object { $_.ProcessName -eq 'powershell.exe' }
foreach ($proc in $processList) {
try {
$cmdLine = (Get-CimInstance Win32_Process -Filter "ProcessId = $($proc.Id)").CommandLine
if ($cmdLine -match '-enc [A-Za-z0-9+/=]+') {
Write-Host "[!] ALERT: Suspicious encoded PowerShell command detected in PID $($proc.Id) by user $($proc.UserName)." -ForegroundColor Red
Write-Host " Command: $cmdLine"
}
} catch {
# Access denied or process ended
}
}
Write-Host "[+] Hunt complete." -ForegroundColor Cyan
Remediation
-
Immediate Credential Rotation: The primary goal of FortiBleed is credential harvesting. Immediately rotate all credentials associated with FortiGate administrative accounts, SSL-VPN accounts, and any service accounts that may have been accessible via the firewall. Assume any credential exposed on these devices is compromised.
-
Patch and Upgrade: Apply the latest security patches provided by Fortinet for FortiOS. Ensure devices are upgraded to versions that mitigate the vulnerabilities targeted by the FortiBleed campaign. Review the official advisory below for specific version requirements.
-
Audit Domain Controllers: Since the campaign leads to "domain compromise," conduct a rigorous audit of Domain Controller logs. Look for unusual Kerberos ticket requests (Golden/Silver ticket attacks) and logons from the firewall's management IP addresses during the incident window.
-
Network Segmentation: Ensure management interfaces for firewalls are not accessible from the internet. If management access is required, enforce strict IP allow-listing and utilize Zero Trust Network Access (ZTNA) solutions rather than exposing the UI directly.
-
Reset MFA Tokens: If MFA is implemented on the firewall, force a reset of MFA tokens/seed codes for all administrators, as session hijacking or token theft may have occurred.
Vendor Advisory: SOCSecurity Advisory on FortiBleed
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.