- Security pros spot a new LockBit variant in the wild
- A potential affiliate abused two Fortinet flaws to deploy the encryptor
- There are multiple overlaps with LockBit 3.0
LockBit affiliates are using vulnerable Fortinet endpoints to target businesses with an updated ransomware strain, experts have warned.
Cybersecurity researchers at Forescout found the threat actor is using two vulnerabilities in Fortinet firewalls, tracked as CVE-2024-55591, and CVE-2025-24472, to deploy an updated ransomware strain named SuperBlack.
Both vulnerabilities had been used in the past before, and both were patched in January 2025 – so the best way to defend against the attacks is to make sure your Fortinet firewalls are up to date.
At least three victims
Forescout named the group running the attacks “Mora_001”. Since there are some overlaps in its tactics, techniques, and procedures (TTP) with LockBit, the researchers believe the group could be a LockBit affiliate.
Apparently, SuperBlack is based on the builder that was used in LockBit 3.0 attacks, and which leaked in the past. Furthermore, the ransom note in both LockBit and Mora_001 attacks uses the same messaging address.
Speaking to TechCrunch, senior manager of threat hunting at Forescout, Sai Molige, said there were at least three confirmed cases, but added that “there could be others”.
LockBit was one of the most disruptive and influential ransomware groups around, however, in late February 2024, it was struck by the FBI, and it never fully recovered. The law enforcement seized its website, the data it held, and obtained “thousands” of decryption keys.
It also obtained information about its affiliates which, at the time, counted around 200 groups, and later urged the affiliates to come forward. In February this year, the bulletproof hosting service provider, allegedly used by LockBit, was sanctioned by the US and the UK.
LockBit took roughly a week to get back on its feet and resume operations, but it is possible that many of its affiliates pivoted to other groups, such as RansomHub or Medusa.
Leave a comment