Cybercriminals linked to the infamous LockBit ransomware gang are actively exploiting vulnerabilities in Fortinet firewall systems to infiltrate corporate networks and deploy a custom ransomware strain. Security researchers at Forescout Research have identified a threat group, dubbed Mora_001, leveraging these flaws to launch attacks on multiple organizations.
Critical Fortinet Vulnerabilities Under Attack
The attack campaign primarily targets two vulnerabilities: CVE-2024-55591 and CVE-2025-24472. Exploitation of CVE-2024-55591 has been ongoing since December 2024, while Mora_001 has recently begun taking advantage of CVE-2025-24472 as well. Fortinet issued patches for both security flaws in January 2025, but unpatched systems remain vulnerable to attacks.
According to Sai Molige, senior threat hunter at Forescout, the firm has investigated at least three incidents across different organizations, though the actual number of affected companies could be much higher.
Custom Ransomware Strain “SuperBlack” Targets Sensitive Data
Mora_001’s attack strategy involves breaching network defenses and deploying a custom ransomware strain called “SuperBlack.” Security researchers observed that, in at least one confirmed breach, attackers selectively encrypted file servers that contained sensitive business data.
“The encryption process was only initiated after data exfiltration, reflecting the growing trend among ransomware operators who prioritize data theft before causing system disruptions,” Molige explained.
Links to LockBit Ransomware Operations
Forescout’s analysis suggests that Mora_001 has strong operational ties to the LockBit ransomware group, which was significantly disrupted by U.S. authorities in 2024. Evidence of these connections includes:
- SuperBlack ransomware’s code similarities to the leaked LockBit 3.0 malware builder.
- The ransom note used by Mora_001 contains messaging details identical to LockBit communications.
Molige suggests that this connection could indicate that Mora_001 is either a LockBit affiliate with a distinct attack strategy or an associated group using shared infrastructure.
Remaining Organizations at Risk
Cybersecurity experts warn that companies yet to apply the Fortinet patches remain prime targets. Stefan Hostetler, head of threat intelligence at Arctic Wolf, emphasized that attackers are exploiting organizations that failed to update their systems or properly secure their firewall configurations.
Furthermore, Hostetler noted similarities between Mora_001’s ransom note and those used by other prominent ransomware gangs, including the now-defunct ALPHV/BlackCat group. This suggests that cybercriminals are recycling tactics and tools from past attacks to maximize their reach.
Mitigation Strategies for Businesses
To defend against these evolving threats, cybersecurity experts recommend the following steps:
- Immediately apply Fortinet’s security patches to prevent exploitation.
- Conduct a full firewall security audit to identify potential misconfigurations.
- Enhance network monitoring to detect early signs of intrusion.
- Implement endpoint detection and response (EDR) solutions to mitigate ransomware execution.
With hackers actively exploiting unpatched Fortinet firewall vulnerabilities, businesses must act swiftly to strengthen their cybersecurity defenses. The emergence of SuperBlack ransomware underscores the importance of proactive security measures, regular patching, and comprehensive threat intelligence monitoring.
