A massive credential-harvesting campaign called FortiBleed, which has targeted over 430,000 FortiGate firewalls worldwide and compromised an estimated 110 million credentials, has now been directly linked to ransomware attacks. Security researchers discovered that stolen credentials from the operation are being used to deploy INC Ransom and Lynx ransomware, with at least 12 organizations suffering encryption attacks and hundreds of endpoints locked down. An operational security mistake by the attackers revealed that the same operator manages both ransomware families, proving that this credential theft operation is actively feeding into the ransomware ecosystem.