ctipilot.ch

INC Ransom

actor · actor:inc-ransom

Ransomware-as-a-service operation active since ~2023; researchers assess Lynx (active since mid-2024) as an INC rebrand rather than a distinct group. SOCRadar's 2026-07-01 FortiBleed attribution report ties INC/Lynx to the FortiBleed FortiGate credential-theft infrastructure via shared negotiation-panel access and overlapping leak-site victims.

Aliases: INC Ransomware, Lynx

Coverage timeline
4
first 2026-05-11 → last 2026-07-05
Entries
4
3 distinct days
Sources cited
9
8 hosts
Sections touched
3
weekly-long-running, weekly-looking-ahead, weekly-research
Co-occurring entities
2
see Related entities below
2026-05-114 appearances2026-07-05

Story timeline

  1. 2026-07-05FortiBleed status update — the FortiGate credential-theft campaign is now attributed to INC Ransom / Lynx, with a scaled-up victim count and an unconfirmed Nextcloud zero-day claim
    weekly-long-runningFortiBleed status — now attributed to INC Ransom / Lynx; 409 admin-access, 12 ransomware deployments
  2. 2026-07-05Looking ahead — 2026-W27
    weekly-looking-aheadLooking ahead — 2026-W27: items already in motion for the coming weeks
  3. 2026-06-22Threat actor: INC ransomware's Rust rewrite and BYOVD evolution
    weekly-researchThreat actor: INC ransomware's Rust rewrite and BYOVD evolution
  4. 2026-05-11FrostyNeighbor / Ghostwriter (UNC1151) — ESET analysis corroborated, Poland / Lithuania / Ukraine in EU scope
    weekly-long-runningFrostyNeighbor / Ghostwriter (UNC1151) — ESET analysis corroborated, Poland / Lithuania / Ukraine in EU scope

Where this entity is cited

  • weekly-long-running2
  • weekly-research1
  • weekly-looking-ahead1

Source distribution

  • thehackernews.com2 (22%)
  • acronis.com1 (11%)
  • bleepingcomputer.com1 (11%)
  • eerstekamer.nl1 (11%)
  • helpx.adobe.com1 (11%)
  • socradar.io1 (11%)
  • watchguard.com1 (11%)
  • welivesecurity.com1 (11%)

Related entities

Entries about INC Ransom (4)

2026-07-05 · view entry permalink →

Looking ahead — 2026-W27

notable outlook discovered 2026-07-05 23:43 UTC NATOB2

Items already in motion — sourced developments a defender should expect to act on in the coming weeks, not forecasts:

  • Adobe ColdFusion — six CVSS 10.0 unauth RCEs awaiting weaponisation. APSB26-68 fixed six maximum-severity RCE paths (file-upload, input-validation, path-traversal), all Adobe Priority 1, with no known exploitation yet (Adobe PSIRT, 2026-06-30). ColdFusion's history is rapid weaponisation of unauth file-upload primitives — patch internet-facing instances before a PoC lands (§ references).
  • Citrix NetScaler CVE-2026-8451 — public test artefact, siblings exploited within days. A "Detection Artefact Generator" is public and CitrixBleed-lineage siblings have been exploited within days of disclosure; treat exploitation as a matter of time (§ references).
  • WatchGuard Firebox 12.5.x — fix still pending. The pre-auth iked RCE (CVE-2026-13368) has no fix for the 12.5.x branch and 11.x is EOL; a build is expected — until it ships, the LDAP-backed IKEv2 path must be removed, not waited on (WatchGuard PSIRT, 2026-07-02).
  • Dutch NIS2 — Senate vote 7 July, entry into force 15 August 2026. The Eerste Kamer floor vote is scheduled for 7 July with a revised entry-into-force target of 15 August (Eerste Kamer, bill 36764); organisations with Dutch nexus should re-anchor readiness milestones (this week's policy entry).
  • ShinyHunters Oracle PeopleSoft — un-notified victim tail. GTIG's ~100-organisation notification set is still landing (68% higher education); more European education and public-finance named victims are likely (this week's long-running status; § references).
  • FortiBleed-actor Nextcloud zero-day — pending vendor disclosure. SOCRadar states the INC/Lynx-linked FortiBleed operator holds an undisclosed Nextcloud zero-day, coordination in progress. Single-source and unconfirmed — but given Nextcloud's Swiss/German public-sector prevalence, be ready to prioritise a patch the moment Nextcloud publishes (this week's FortiBleed status entry).

Builds on: 2026-07-02/cve-2026-48276-48277-48281-48282-48283-48316-adobe-coldfusio · 2026-07-01/cve-2026-8451-citrix-netscaler-adc-gateway-pre-auth-saml-mem · 2026-07-03/cve-2026-13368-watchguard-fireware-iked-pre-auth-rce · 2026-07-01/nissan-is-the-largest-named-victim-yet-in-the-shinyhunters-o

vulnerabilities law-enforcement global europe

2026-07-05 · view entry permalink →

FortiBleed status update — the FortiGate credential-theft campaign is now attributed to INC Ransom / Lynx, with a scaled-up victim count and an unconfirmed Nextcloud zero-day claim

UPDATE — originally covered FortiBleed (2026-06-29)

notable synthesis discovered 2026-07-05 23:41 UTC NATOB2

FortiBleed — the FortiGate credential-exposure campaign the prior two weeklies tracked from disclosure (86,644+ then 73,932+ exposed credentials) through the Golang "FortigateSniffer" tool (abusing FortiOS's native diagnose sniffer packet) and an AD-domain-takeover at a NATO-aligned defence contractor — gained a ransomware attribution and a scale revision this week.

Attribution to INC Ransom / Lynx. SOCRadar's Threat Research Unit published evidence tying FortiBleed's infrastructure directly to two active ransomware operations: an operator with access to FortiBleed infrastructure was found logged into the negotiation panels of both INC Ransom and Lynx (which SOCRadar assesses, per other researchers, to be an INC rebrand rather than a distinct group), and FortiBleed victim data overlaps victims on INC Ransom's leak site — the first direct evidence linking the mass FortiGate credential theft to a specific ransomware-deployment pipeline (SOCRadar STRU, 2026-07-01; BleepingComputer, 2026-07-01). STRU characterises the operation as an ~20-person Initial Access Broker business with a tiered internal structure exposed via an opsec lapse.

Scale revision. STRU reports scanning against ~11,250 FortiGate portals across 150+ countries, admin-level access confirmed on 409 targets, full domain compromise on 354, and at least 12 confirmed ransomware deployments to date — sharpening the risk picture from "credential exposure" to "credential exposure feeding an active RaaS deployment pipeline."

Unconfirmed Nextcloud zero-day (track, do not action). STRU further states the group possesses at least one undisclosed Nextcloud zero-day, with SOCRadar coordinating responsible disclosure. This is a single-source claim pending vendor confirmation and carries no CVE — but given Nextcloud's data-sovereignty-driven prevalence in Swiss and German public-sector and SME estates, it belongs on the watch list for an immediate patch once Nextcloud publishes. The durable defender action is unchanged: treat any FortiGate exposed in the May–June window as having leaked credentials, rotate, and hunt the sniffer technique. New registry entity this run: actor:inc-ransom (aliases INC Ransomware, Lynx).

Scanning activity against roughly 11,250 FortiGate portals in more than 150 countries, with admin-level access confirmed on 409 targets

SOCRadar (STRU)

During the investigation of that server, analysis of the collected artifacts revealed that the threat actor had accessed the ransomware negotiation panels of both the Lynx / INC ransomware group.

BleepingComputer (citing SOCRadar)
ransomware data-breach organized-crime identity global europe dach

2026-06-22 · view entry permalink →

Threat actor: INC ransomware's Rust rewrite and BYOVD evolution

notable research discovered 2026-06-22 00:15 UTC

Acronis and The Hacker News documented the evolution of INC ransomware into a top-tier RaaS — 830+ victims since 2023, fourth in Q1 2026 — with a Rust rewrite of its Windows and Linux/ESXi encryptors, BYOVD EDR-termination using the drivers filwfp.sys / filnk.sys / fildds.sys (the same set seen in earlier Vanilla Tempest campaigns), a Veeam credential dumper for backup infrastructure, and two source-code-leak-derived variants (Lynx, Sinobi) (Acronis TRU, 2026-06-18; The Hacker News, 2026-06-19). The geography is incidental for a CH/EU SOC — the cited reporting puts the majority of INC's victims in the US — but the tradecraft is not: the three BYOVD drivers (shared with earlier Vanilla Tempest campaigns), the Veeam backup-credential dumper, and the cross-platform Rust encryptor are detection content that generalises to any victim. Detect the three BYOVD drivers via driver-load events with a hash blocklist, alert on Veeam process-memory access from unexpected parents, and keep backup systems MFA-protected and network-isolated.

ransomware organized-crime global us

2026-05-11 · view entry permalink →

FrostyNeighbor / Ghostwriter (UNC1151) — ESET analysis corroborated, Poland / Lithuania / Ukraine in EU scope

notable synthesis discovered 2026-05-11 05:00 UTC

ESET's 2026-05-14 analysis of activity observed since March 2026 documents an evolved spearphishing chain: (1) malicious PDFs impersonating Ukrtelecom with embedded redirect links, (2) RAR archives delivering JavaScript PicassoLoader variants, (3) server-side victim geo-validation (serves benign PDF to non-Ukrainian IPs) with system fingerprinting every 10 minutes to determine Cobalt Strike eligibility, (4) persistence via scheduled tasks and registry modifications. The previous Polish-targeting wave exploited CVE-2024-42009 (Roundcube XSS) for credential harvesting; WinRAR CVE-2023-38831 also referenced in the toolchain. The Belarus-aligned actor cluster (UNC1151, UAC-0057, TA445, Storm-0257, Umbral Bison, White Lynx) targets governmental, industrial, healthcare, and logistics sectors. EU scope: Poland, Lithuania, and Ukraine confirmed; broader Eastern European public-sector exposure inferred (ESET WeLiveSecurity; The Hacker News; daily 2026-05-15).

No named EU victim disclosures this run. Status update from the W19 long-running record (item:apt28-apt29-unc1151): ESET's documentation of the geofencing and 10-minute fingerprinting cadence is new operational detail not present in the W19 ABW tri-attribution coverage. Detection: outbound connections to Canarytokens-style endpoints used for fingerprinting; scheduled-task creation with random GUIDs spawned from Office process trees (T1053.005); child processes of WinRAR or archive handlers executing JavaScript (T1059.007); PicassoLoader staging behaviours.

nation-state espionage russia-nexus europe