Groove Gang Leaks 500,000 Fortinet VPN Credentials

Fortinet headquarters in Silicon Valley. Groove Gang Leaks 500,000 Fortinet VPN Credentials.

Update 3/11/2021: End of October, the blog post on Groove has disappeared from the dark web. It has emerged that the “new gang” was nothing but a hoax. Security researcher Brian Krebs reviewed recent posts by “Boriselcin” and discovered that the cybercriminal had been planning the hoax for months to toy with security researchers and the “Western media”.

Ransomware gang Groove leaked half a million login credentials belonging to users of Fortinet’s VPN solution on a newly launched hacking forum, named Ramp. The hackers likely scraped the names and passwords from compromised devices.

Who’s Groove?

Groove is a new ransomware gang that became more active in August this year. Like other gangs, they implement a double extortion ransomware model: first, they encrypt files, then they threaten to expose exfiltrated data. Until last week, Groove had only one victim listed on their dark net website, a paper products manufacturer headquartered in Germany.

According to cyber intelligence researcher Darktracer, the Babuk, BlackMatter and Groove ransomware gangs all share the same data hosting server on the dark web. Therefore, he suggests that they belong to the same cartel. Groove, however, denies any such association.

The Groove representative and operator of the new hacking forum, Ramp, allegedly is a former Babuk operator. This Russian-speaking startup claimed responsibility for the breach of the Washington DC Metropolitan Police’s network in April this year. Apparently, this incident was the turning point that eventually led to Babuk’s disintegration.

Leaked Fortinet VPN Credentials

On Tuesday night, Groove leaked a list containing 500,000 Fortinet VPN credentials on their dark net website. The Groove representative also offered the same set of usernames and passwords for free on Groove’s new hacking forum, Ramp.

BleepingComputer confirmed that the file contains 498,908 user credentials for over 12,856 devices. In addition, all of the IP addresses they checked do indeed belong to Fortinet VPN servers. Further analysis by threat intelligence firm Advanced Intel reveals that 2,959 devices are located in the US. However, the list names over 70 countries. The largest share of credentials originates from India (11%), Taiwan (8.45%), and Italy (7.96%).

It is unclear why the gang is giving away this information for free. Advanced Intel thinks the release of Babuk’s source code on September 3 triggered Groove’s decision. This incident caused a severe backlash on underground forums. Of course, the freebie will also give the gang some credibility to promote their ransomware-as-a-service operation.

Fortinet Aware of the Incident

Cybersecurity firm Fortinet confirmed that they are aware of the security incident. They said that the threat actors obtained the credentials from systems that remained unpatched against the FG-IR-18-384 / CVE-2018-13379 vulnerability.

Fortinet resolved the CVE-2018-13379 vulnerability in May 2019. They also issued multiple warnings detailing the issue and encouraging their customers to upgrade affected devices. Moreover, in April this year, the FBI and CISA released a joint cybersecurity advisory since APT actors were still actively exploiting the same vulnerability.

If users patched their systems but failed to reset passwords or failed to add an extra layer of security, the systems would have remained vulnerable. Moreover, if the credentials are also shared with other internal services, malicious actors could try to compromise these as well.

Fortinet recommends taking the following steps to ensure credentials cannot be abused.

  1. Disable all VPNs before implementing the following remediation steps.
  2. Immediately upgrade affected devices to the latest available release.
  3. Perform an organization-wide password reset.
  4. Implement multi-factor authentication.
  5. Notify users to explain the reason for the password reset as there is the potential that passwords have been reused for other accounts.
IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For she follows relevant cybercrime and online privacy developments. She rigorously tests the quality of VPN services using's dedicated VPN testing protocol that has been finetuned and optimized over the years.