A new ransomware group, known as SuperBlack, is taking advantage of two vulnerabilities in Fortinet firewall devices. Forescout Research’s Vedere Labs published findings this week suggesting that SuperBlack may have ties to current or former members of the infamous LockBit operation.
Forescout links SuperBlack to a threat actor named Mora_001, who has a recognizable operational style that fuses opportunistic strikes with connections to the LockBit ecosystem, as researcher Sai Molige explained. Mora_001’s connection to LockBit highlights the increasingly complex world of ransomware, where specialized teams work together to combine their skills.
So far, Mora_001/SuperBlack has targeted two specific vulnerabilities, CVE-2025-24472 and CVE-2024-55591, which allow unauthorized individuals to gain elevated admin access to Fortinet devices. A proof-of-concept exploit for these flaws was released on January 27, 2025, and attackers took just 96 hours to exploit it. Once inside a target network, the gang quickly moved laterally, hitting key targets like authentication servers and databases. After gathering data, they initiated encryption in a typical ransomware fashion.
Forescout’s analysts noticed several post-exploitation behaviors that tie Mora_001/SuperBlack to LockBit. These include using the same usernames across victim networks, sharing IP addresses for command and control, and deploying ransomware rapidly—often 48 hours after initial access. The group even utilized a leaked LockBit builder, stripped of LockBit branding, to create their own ransom notes.
The key piece of evidence lies in their ransom note, which included a TOX ID associated with LockBit. This strongly suggests that Mora_001 is either an affiliate of LockBit or part of a group that collaborates with them. Forescout’s team noted that the operational patterns set Mora_001 apart from other ransomware groups, indicating a well-defined approach rather than a mishmash of different tactics.
By analyzing the timeline of intrusions and identifying overlapping indicators, Forescout can confidently attribute future attacks to this gang, regardless of the precise nature of their ties to LockBit. After the National Crime Agency’s Operation Cronos disrupted LockBit in February 2024, the ransomware scene fragmented, leading many former LockBit members to either establish new operations or join existing ones. While this is still speculation, the emergence of Mora_001/SuperBlack adds weight to the idea that LockBit’s influence continues to linger in the cybersecurity realm. For more details on Mora_001/SuperBlack, including tactics and indicators, check out Forescout’s research.