INC Ransom FortiBleed Surge Hits 7 Victims

Statistical Overview

Victim Totals

  • This month: 66
  • This quarter: 66
  • Year to date: 5073
  • Last 24h: 18

Quarterly Breakdown

Q1: 2631 | Q2: 2386 | Q3: 66 | Q4: 0

Ransomware activity registered 18 new victims in the last 24 hours, contributing to a total of 66 for the current month and quarter. This figure is lower than previous quarters, which saw 2631 in Q1 and 2386 in Q2, indicating a potential shift in reporting cadence or a temporary reduction in disclosed incidents.

Introduction

In the last 24 hours, ransomware activity added 18 new victims to public leak sites. INC Ransom was the most active group, responsible for seven incidents, followed by APT73 with three victims. Geographically, the United States and Brazil were the primary targets, while sectors such as Professional Services, Manufacturing, and Government were most affected.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1INC Ransom7acworth-ga.gov, carvalima.com.br, ezortea.com.br (+4)Brazil, United StatesConstruction & Engineering, Government / Public Sector
2APT733Aydeniz.com, Flazio.com, Holidaypalace.comItaly, SpainProfessional Services, Hospitality & Travel
3Krybit2Duflosa.com, Majuhome.com.myColombia, MalaysiaProfessional Services, Retail & Ecommerce
4PEAR2Ac beverage, inc., Cnw electronics pte ltdUnited States, SingaporeProfessional Services, Manufacturing
5Anubis1Ferrum agSwitzerlandManufacturing
6BlackField1Redeplastrs.com.brBrazilManufacturing
7RansomHouse1[EVIDENCE]Prince George CountyUnited StatesGovernment / Public Sector
8The Gentlemen1Shamrock holdings inc.United StatesFinancial Services

INC Ransom was the most active, impacting government and construction sectors across the United States and Brazil, including targets like acworth-ga.gov. RansomHouse also targeted the US Government sector with an incident affecting Prince George County.

Victim Distribution

By Country

  • United States: 7
  • Brazil: 4
  • Spain: 1
  • Turkey: 1
  • Switzerland: 1
  • Singapore: 1
  • Malaysia: 1
  • Italy: 1
  • Colombia: 1

By Industry

  • Municipal Government: 2
  • Hospitality: 1
  • Private Equity: 1
  • Healthcare: 1
  • Government Administration: 1
  • Early Childhood Education: 1
  • Consumer Services: 1
  • Construction, Engineering, Real Estate, Agribusiness, Tourism: 1
  • Machinery Manufacturing: 1
  • Footwear Manufacturing: 1

The United States and Brazil represent the primary geographic concentration for ransomware victims. Industry targeting remains diverse. Professional Services, Manufacturing, and Municipal Government sectors were consistently affected, showing a broad but persistent focus on critical operational areas.

Ransomware News

Topline

Ransomware activity focuses on initial access vulnerabilities like FortiBleed and Citrix Bleed 2, persistent social engineering tactics, and law enforcement action against the Scattered Spider group.

Campaigns & Operations

The INC ransomware-as-a-service (RaaS) group targets the legal sector, exploiting the potential for reputational damage and malpractice suits from leaked sensitive data. This activity is linked to "FortiBleed" credential harvesting, which has compromised over 430,000 FortiGate firewalls and generated 1.16 billion credential attempts, fueling operations for INC Ransom and Lynx. Anubis, another active ransomware group, exploits Citrix Bleed 2 (CVE-2025-5777) for initial access and then using legitimate remote management tools for lateral movement. A new campaign targets small businesses globally with rudimentary ransomware delivered via phishing emails impersonating Interpol, tailoring ransom demands to organization size. Law enforcement arrested Peter Stokes, an alleged member of the Scattered Spider group, who faces charges for over 100 intrusions and more than $100 million in ransom payments.

Vulnerabilities & TTPs

The FortiBleed campaign fuels ransomware activity by compromising FortiGate firewalls and is now under investigation for a Nextcloud zero-day. Anubis exploits Citrix Bleed 2 (CVE-2025-5777) and blends into normal IT activity by reusing legitimate admin workflows, remote desktop, and PsExec. The Q2 2026 Attack Techniques Trend Report indicates a surge in exploits targeting public assets, identities, and AI stacks, with CISA KEV listings increasing by 27% year-over-year. This includes AI-focused attacks via CVE-2026-42824 (SearchLeak) against M365 Copilot and CVE-2026-26030/25592 in Microsoft Semantic Kernel. The Gentlemen group also weaponizes BYOVD through a Kontron ktapi.sys driver vulnerability for kernel-level access. Understanding Ransomware-as-a-Service (RaaS) Explained can help organizations grasp the operational model of groups like INC Ransom.

Analyst Note

This period shows a reliance on exploiting known vulnerabilities for initial access, social engineering, and legitimate tool abuse. Law enforcement remains active against threat groups.

Technical Takeaways

  • INC Ransom is an active RaaS group focusing on the legal sector, potentially driven by the high value of sensitive legal data.
  • The FortiBleed campaign is a threat, compromising over 430,000 FortiGate firewalls and generating 1.16 billion credential attempts, with direct links to INC Ransom operations and a pending Nextcloud zero-day investigation.
  • Anubis ransomware uses the Citrix Bleed 2 vulnerability (CVE-2025-5777) for initial access, subsequently using legitimate remote management tools to evade detection.
  • Social engineering, such as the Interpol impersonation campaign targeting SMBs, remains an effective initial access vector, showing the need for strong user awareness training.
  • The Q2 2026 ASEC report shows a broader trend of increased exploitation of public-facing applications, identities, and AI-related vulnerabilities, including CVE-2026-42824, CVE-2026-26030, and CVE-2026-25592.

Why INC Ransom Targets FortiBleed Vulnerabilities

INC Ransom has increasingly weaponized FortiBleed (CVE-2022-40684 and related Fortinet authentication bypass flaws) to gain initial access at scale. These vulnerabilities expose VPN gateways and firewall management interfaces without requiring credentials, making them ideal for ransomware operators.

  • FortiBleed allows unauthenticated API access to Fortinet devices
  • Affected products include FortiGate, FortiProxy, and FortiSwitch Manager
  • Unpatched government and SMB networks remain high-value targets
  • INC Ransom pairs FortiBleed with lateral movement tools like Cobalt Strike

Organizations still running unpatched Fortinet firmware face elevated risk. See our Fortinet vulnerability tracker for patch guidance.

INC Ransom Group Profile and Tactics

INC Ransom emerged as a significant threat actor in 2023, distinguished by its aggressive double-extortion model and rapid victim accumulation. The group operates a professional leak site and demonstrates notable operational discipline.

  • Targets mid-market organizations across government, construction, and professional services
  • Leverages exposed remote access infrastructure as primary entry vector
  • Exfiltrates data before encryption to maximize leverage
  • Average ransom demands range from $500K to $5M USD
  • Active across North America, South America, and Europe

Review our ransomware group profiles for a full breakdown of INC Ransom TTPs and historical victim data.

How to Reduce Exposure to FortiBleed-Linked Ransomware

Defenders can take immediate steps to reduce risk from INC Ransom and similar groups exploiting perimeter vulnerabilities.

  • Audit all internet-facing Fortinet devices and apply available firmware patches immediately
  • Disable HTTPS management interfaces exposed to the public internet
  • Implement network segmentation to limit lateral movement post-compromise
  • Deploy endpoint detection with behavioral monitoring for ransomware precursors
  • Review authentication logs for anomalous API calls targeting management endpoints

Proactive patch management and attack surface reduction remain the most effective defenses against opportunistic ransomware groups. Visit our incident response checklist for step-by-step guidance.