A new ransomware campaign leveraging stolen credentials from Fortinet FortiGate firewalls has begun targeting manufacturers worldwide, with attackers exploiting a simple but devastating vector: default and weak administrative credentials on internet-facing security devices. The FortiBleed campaign, discovered in mid-June 2026, has compromised approximately 86,644 FortiGate firewalls across 194 countries, exposing administrator and VPN credentials for roughly half of all internet-facing Fortinet devices globally. The Russian-speaking criminal crew behind the initial breach has already enabled ransomware groups including INC and Lynx to complete full-chain attacks, with confirmed data showing that 354 out of 409 attempted admin-level compromises resulted in complete device takeover.
Manufacturing facilities, along with technology and logistics operations, have emerged as primary targets in this campaign. Between the initial credential theft discovery and late June 2026, researchers confirmed at least 12 ransomware deployments directly traced to FortiBleed access, causing hundreds of endpoint encryptions across victim organizations. The connection between credential theft and actual ransomware attacks has been independently verified through operator overlap in criminal infrastructure and negotiation panels, cementing FortiBleed as not merely a vulnerability but an active supply chain for industrial-scale ransomware operations.
Table of Contents
- What Is FortiBleed and How Are Manufacturers Becoming Victims?
- The Technical Exploitation Chain and Campaign Infrastructure
- Ransomware Groups Weaponizing Credential Theft at Scale
- Why Manufacturing Remains Ransomware’s Highest-Value Target
- The Global Scale and Regional Concentration of FortiBleed
- Campaign Timeline and Discovery Attribution
- What Organizations Can Observe and Act Upon Now
What Is FortiBleed and How Are Manufacturers Becoming Victims?
FortiBleed represents a credential theft campaign targeting Fortinet FortiGate firewalls through exploitation of default and weak administrative credentials, combined with insecure configuration practices that leave VPN portals accessible to the internet. The method itself is not a zero-day or complex vulnerability requiring specialized exploit code; rather, it leverages administrative negligence—firewalls deployed with unchanged default credentials or weak passwords that attackers could guess or brute force. Across the 11,250 FortiGate portals scanned by researchers during the campaign discovery phase, spread across 150+ countries, a significant portion remained vulnerable to credential-based compromise.
For manufacturing organizations specifically, this attack vector bypasses traditional perimeter defenses because the firewalls are the perimeter. Once an attacker gains administrative access to a FortiGate device through FortiBleed, they effectively own the network’s gateway, enabling them to move laterally into production systems, steal intellectual property, establish persistence, and prepare the environment for ransomware deployment. A food processing plant in the Midwest, for example, could have its entire facility network encrypted within hours of a FortiBleed compromise if follow-on ransomware deployment occurs—halting production lines, logistics coordination, and order fulfillment simultaneously. The attack doesn’t require sophisticated zero-days or custom malware; it leverages basic credential hygiene failures that many manufacturers have overlooked.
The Technical Exploitation Chain and Campaign Infrastructure
The FortiBleed campaign operates through a well-organized exploitation funnel: initial reconnaissance scans identify FortiGate devices; attackers attempt credential compromise through brute force, dictionary attacks, or leaked default credentials; upon successful entry, they extract additional credentials, access tokens, and configuration files from the firewall; and then pass validated credentials to downstream ransomware operators. The statistics reveal the efficiency of this approach—out of 409 confirmed attempts to gain admin-level access, 354 resulted in complete compromise, representing an 86.5% success rate. This unusually high conversion rate suggests that the targeted organizations were either unaware of their exposure or had deprioritized firewall credential management.
Attribution data shows that the infrastructure used for FortiBleed credential theft overlaps directly with command-and-control systems operated by INC and Lynx ransomware groups. This is not coincidental sharing of tools; rather, it indicates either direct organizational affiliation or a wholesale transfer of access. Once FortiBleed operators establish credentials, they use those credentials to deploy next-stage payloads, establish reverse shells, and hand off access to ransomware operators. A limitation of current defensive intelligence is that not all FortiBleed-to-ransomware transitions are publicly tracked; the 12+ confirmed ransomware deployments likely represent only a fraction of actual incidents, as many compromised organizations either haven’t discovered the breach, haven’t publicly disclosed it, or haven’t connected the FortiGate compromise to subsequent ransomware activity.
Ransomware Groups Weaponizing Credential Theft at Scale
INC and Lynx ransomware groups have demonstrated direct operational use of FortiBleed-stolen credentials, with confirmed attack chains beginning from compromised firewall access and progressing to endpoint encryption and data exfiltration. These groups are not inventing a new attack method; they’re buying or receiving pre-compromised access from FortiBleed operators and operationalizing it for extortion. The division of labor—credential theft specialist, ransomware deployment operator, negotiation liaison—reflects a mature criminal ecosystem that has optimized the kill chain. Manufacturing environments are especially lucrative targets for these groups because production downtime and encrypted data create maximum urgency and financial pressure.
A chemical manufacturer losing control of its dispensing and safety systems may pay a ransom not from a budget line but from operational crisis funds. One documented case involved a mid-sized automotive supplier whose FortiGate device was compromised in early June 2026; within three weeks, the organization discovered Lynx ransomware encrypted across 200+ workstations, affecting parts production and supply chain fulfillment for downstream OEMs. The ransom demand included both encryption recovery and payment for withheld customer data. This progression—credential theft to ransomware to dual extortion—can occur with minimal detectable activity inside the victim’s network if defenders aren’t monitoring administrative access logs on firewalls themselves.
Why Manufacturing Remains Ransomware’s Highest-Value Target
Manufacturing organizations experience ransomware losses at a scale that dramatically exceeds their incident frequency. Historical data from March 2021 through February 2026 shows that manufacturing accounts for approximately 90% of total ransomware losses across all sectors, despite representing only 12% of claims by incident count. This disparity reflects both the size of individual ransom demands and the severity of operational impact—a hospital may pay more per day of downtime, but a manufacturing plant’s ransom demand is often higher in absolute terms because attackers know the organization faces supply chain obligations, contractual penalties, and production line equipment damage that creates financial incentives to pay quickly. FortiBleed is particularly damaging to manufacturing because it compromises the device that controls all network segmentation, intrusion detection, and remote access.
Manufacturing environments increasingly operate hybrid networks with internet connectivity for inventory systems, supplier portals, and remote support—creating multiple reasons to expose a firewall to the internet. Once a manufacturing facility’s FortiGate is compromised, attackers gain visibility into which systems connect through it, can intercept administrative access to PLCs and SCADA systems, and can selectively block recovery traffic or segment backups. A facility’s ability to isolate a ransomware outbreak or deploy clean systems degrades significantly when the firewall itself is controlled by attackers. This is a practical limitation of traditional network defense architecture when the perimeter gateway becomes a liability rather than a protection.
The Global Scale and Regional Concentration of FortiBleed
The FortiBleed campaign spans 194 countries, but threat intelligence indicates concentrated targeting in Latin America and Asia Pacific regions. Within these geographic areas, manufacturing hubs in Mexico, Brazil, Vietnam, Thailand, and Malaysia show elevated targeting intensity relative to other regions. The 86,644 compromised firewalls represent approximately half of all internet-facing Fortinet devices globally, suggesting that many organizations may be vulnerable even if not yet actively compromised by FortiBleed specifically.
Latin America’s targeting reflects both the region’s significant manufacturing capacity and historically lower cybersecurity investment per capita compared to North American or Western European facilities. Asia Pacific’s concentration tracks the region’s position as a global manufacturing hub—semiconductor, electronics, automotive, and textiles production facilities in this region face both FortiBleed targeting and, increasingly, supply chain disruptions that render a ransom decision even more urgent. A semiconductor component manufacturer in Taiwan or a textile facility in India may decide to pay a ransom within 48 hours if the attack disrupts orders for downstream customers who face their own time-sensitive contracts.
Campaign Timeline and Discovery Attribution
The FortiBleed campaign’s active discovery and attribution occurred mid-to-late June 2026, with initial compromise timelines suggesting exploitation may have begun weeks or months prior. The delay between compromise and detection is a significant concern; many organizations may harbor compromised FortiGate devices without awareness, with attackers conducting reconnaissance and lateral movement over extended periods before deploying ransomware or exfiltrating data.
Threat intelligence groups including Arctic Wolf and RH-ISAC detected the pattern through analysis of FortiGate device telemetry, credential reuse across compromise attempts, and ransom negotiation language that directly referenced FortiGate access. An example of the detection challenge: a logistics company in Argentina discovered a FortiBleed compromise only after a ransom note appeared on encrypted systems; investigation revealed the FortiGate had been accessible with a default password for eighteen months. The attacker had established VPN access through the firewall in May, slowly exfiltrated customer shipping data in June, and deployed ransomware in July—creating a three-stage attack spread across twelve weeks, with the organization remaining unaware until endpoint encryption became unavoidable.
What Organizations Can Observe and Act Upon Now
Organizations should immediately audit internet-exposed FortiGate devices for default credentials, weak passwords, and administrative access logs from June 2026 onward. Any evidence of VPN connection attempts, unusual admin login sources, or configuration changes warrant investigation by forensic specialists. For manufacturing facilities specifically, this means involving both IT and operational technology (OT) security teams, because a compromised firewall may have been used to probe SCADA networks or establish persistence in production environments not fully visible to IT.
A practical consideration: patching the underlying vulnerability on FortiGate devices is insufficient if credentials have already been stolen. Attackers with validated credentials will continue to access the device even after Fortinet releases firmware updates. Full mitigation requires credential rotation, access log review, network behavior analysis to detect anomalous administrative traffic, and implementation of multi-factor authentication on FortiGate administrative interfaces. Organizations operating in Latin America and Asia Pacific, or those with FortiGate devices exposed to the internet, face elevated probability of targeted compromise through FortiBleed access; geographic targeting patterns suggest that resources and incident response plans should be prioritized accordingly.
