SuperBlack Ransomware Operators Leave Digital Footprints Amidst Fortinet Firewall Exploits
Researchers at Forescout Research – Vedere Labs have been monitoring the activities of threat actors exploiting vulnerabilities in Fortinet firewalls to deploy the SuperBlack ransomware. The experts attribute these attacks to a threat actor named "Mora_001," which used Russian-language artifacts and exhibited a unique operational signature.
Mora_001 is suspected to be linked to the LockBit ecosystem, reflecting the growing complexity of ransomware operations. By using a leaked LockBit builder, Mora_001 created an encryptor tracked as SuperBlack ransomware, removing any LockBit branding in the process. However, it's essential to note that Mora_001 is identified as an independent threat actor, displaying consistent post-exploitation tactics, including identical usernames across victims, overlapping IPs, and rapid ransomware deployment within 48 hours.
The threat actor exploited two Fortinet vulnerabilities: CVE-2024-55591 and CVE-2025-24472 in FortiOS and FortiProxy. These vulnerabilities allow unauthenticated attackers to gain super-admin privileges on vulnerable Fortinet appliances. A proof-of-concept (PoC) exploit was publicly released on January 27, and within 96 hours, Fortinet patched CVE-2024-55591. However, Mora_001 continued to use the vulnerability, demonstrating rapid weaponization of these exploits.
The attackers utilized two distinct methods to gain control over the compromised systems. They employed both the default PoC exploit and slightly modified versions with minor changes, such as altered usernames and IP addresses. One tactic involved creating local VPN user accounts with names resembling legitimate accounts but with an added digit at the end, which enabled future logins.
Mora_001 targeted high-value assets like servers and domain controllers, using WMIC for discovery and SSH for access. They deployed ransomware only after data exfiltration, showcasing a strategic approach to maximize damage. SuperBlack modifies LockBit 3.0's ransom note and exfiltration tool but retains a wiper component, WipeBlack, which erases ransomware traces post-encryption.
"We have designated this wiper component as 'WipeBlack,' which has been observed in previous ransomware incidents tied to LockBit and BrainCipher," concludes the report. "BrainCipher, in turn, has been linked to SenSayQ, EstateRansomware, and RebornRansomware. Additionally, the wiper's builder is associated with the leaked LockBit builder, reinforcing its connection to LockBit-linked ransomware operations." The wiper file is designed to remove evidence of the ransom executable after encryption.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest cybersecurity news and updates.
About the Author
The author is a journalist with a focus on cybersecurity and technology. They have written extensively on various topics, including ransomware attacks, data breaches, and emerging technologies.