Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

One operator ran both ransomware brands

2 min read
11:00UTC

SOCRadar tied the FortiBleed credential haul to 12 confirmed ransomware deployments and found one operator working the extortion desks of both INC Ransom and Lynx.

TechnologyDeveloping
Key takeaway

Score ransomware risk by access exposure, not by which brand claims the victim.

At least 12 confirmed ransomware deployments now trace to the FortiBleed credential haul, threat-intelligence firm SOCRadar reported on Wednesday 8 July, the first hard count linking the stolen Fortinet logins to live encryption 1. The firm logged scanning against roughly 11,250 FortiGate portals across more than 150 countries, confirmed administrator access on 409 targets, and full attack-chain completion on 354. FortiBleed is the credential-theft campaign that harvested Fortinet logins; the 86,644 flagged in June have become a working intrusion pipeline.

The same report placed one operator on the negotiation panels of both INC Ransom and Lynx at once, two crews the ransomware-as-a-service (RaaS) model files as separate businesses 2. RaaS rents infrastructure and branding to freelance affiliates, so a single person can sit on two brands' extortion desks off one credential set. The Lynx attribution that read as provisional a fortnight ago now rests on shared human labour rather than overlapping tooling alone.

Bitdefender flagged the same brand-blurring six weeks earlier through cross-claiming affiliates , making this the second independent data point in six weeks. Affiliate overlap in RaaS has been documented for years, and one shared negotiator does not render the brand labels meaningless. It does weaken them as a prioritisation input: knowing your Fortinet exposure tells a chief information security officer (CISO) more than knowing which crew's logo lands on the ransom note.

Whoever sits on the extortion panel, not whoever wrote the malware, sees each victim's pay ceiling and wallet addresses across every brand they work. That is why one operator spanning two panels matters more than shared tooling would. Cyber insurers and threat-intel platforms that price risk by named-group frequency inherit a taxonomy that no longer maps to distinct organisations.

Deep Analysis

In plain English

FortiBleed is the name given to a batch of stolen usernames and passwords for Fortinet's FortiGate devices, which many companies use as their main firewall. SOCRadar, a threat-intelligence firm, found that criminals used those stolen logins to break into 409 administrator accounts and complete 354 full attacks, 12 of which ended in ransomware. Ransomware gangs like Lynx and INC Ransom often act as separate "brands" with their own leak sites and negotiation teams. SOCRadar found the same person handling ransom negotiations for both gangs, which suggests these brands share the same source of stolen access rather than being fully independent operations.

Deep Analysis
Root Causes

The FortiBleed credential haul illustrates the initial-access-broker economy: intrusion and monetisation are performed by different actors entirely. A broker sells validated FortiGate administrator credentials once; multiple ransomware crews then license access from the same pool, which is why one negotiation-panel operator can sit across both Lynx and INC Ransom without either brand controlling the intrusion itself.

Bitdefender flagged this affiliate overlap six weeks before SOCRadar's confirmation, but the shared credential source, not shared malware code, is the structural link between the two crews.

First Reported In

Update #10 · One operator worked both ransomware brands

BleepingComputer· 14 Jul 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.