A newly emerged ransomware group, Mora_001, is actively exploiting two vulnerabilities in Fortinet products, leveraging weaknesses that were previously flagged by the Cybersecurity and Infrastructure Security Agency (CISA). This operation has clear ties to the LockBit ransomware ecosystem, raising concerns about the continued evolution of cyber threats despite law enforcement crackdowns.
Cybersecurity researchers have identified CVE-2024-55591 and CVE-2025-24472 as the key vulnerabilities being targeted by this group. In January, CISA issued an urgent directive giving federal civilian agencies just one week to patch CVE-2024-55591—one of the shortest deadlines ever set—underscoring the severity of the issue. Fortinet initially warned that this flaw was already being actively exploited in the wild, later expanding its advisory to include CVE-2025-24472.
A New Ransomware Strain Emerges
According to Forescout Research, between late January and March, their analysts tracked a wave of intrusions starting with these Fortinet bugs. These attacks specifically targeted FortiGate firewall appliances and culminated in the deployment of a new ransomware strain dubbed SuperBlack.
Mora_001, the group behind these attacks, blends opportunistic cybercrime tactics with a deep connection to LockBit’s infrastructure. Researchers found that the group utilized the leaked LockBit 3.0 (LockBit Black) builder, making key modifications to the ransom note and deploying a custom exfiltration tool. This strategic adjustment allows the group to obscure its ties to LockBit while retaining much of the original ransomware’s devastating efficiency.
LockBit’s Shadow Still Looms Large
Before international law enforcement agencies disrupted its operations, LockBit was one of the most notorious ransomware gangs in the world. Mora_001’s activity suggests that remnants of LockBit’s network are still alive and evolving, with affiliates branching off to develop their own variants.
Security analysts investigating the ransom note found clues suggesting that Mora_001 is either:
- A former LockBit affiliate still using shared infrastructure
- A splinter group that maintains communication with active LockBit members
“The ransomware strain observed in these incidents closely resembles LockBit 3.0,” researchers noted. “However, distinct modifications in the ransom note and exfiltration methods led us to classify this variant as SuperBlack.”
A Persistent Threat Despite Patches
Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf, confirmed that Mora_001 has been exploiting these vulnerabilities since late January, with the first observed attack taking place on February 2.
While Fortinet has released patches to remediate both CVE-2024-55591 and CVE-2025-24472, cybercriminals are focusing their efforts on organizations that have not yet applied the updates or have misconfigured firewall protections.
“The threat actor tied to this ransomware campaign appears to be recycling familiar tools from past ransomware activity while innovating their initial access methods,” said Hostetler.
Fortinet has not responded to requests for comment.
LockBit Builder Leak Continues to Fuel Copycat Attacks
When the LockBit 3.0 builder leaked in 2022, it enabled a wave of new ransomware gangs to emerge, each tailoring the malware to their own needs. Mora_001 stands out for integrating techniques from multiple ransomware groups, including BlackCat/ALPHV, while refining their approach to evade detection.
Arctic Wolf noted that they began seeing targeting of Fortinet FortiGate firewall management interfaces on the public internet as early as December—weeks before Fortinet publicly disclosed the vulnerability. This suggests that threat actors had advance knowledge of the zero-day exploit and were already working on ways to compromise networks before Fortinet’s patch was available.
With Mora_001 now actively deploying SuperBlack ransomware, organizations that rely on Fortinet’s security products must move quickly to implement patches and harden their defenses—or risk becoming the next victim of this rapidly evolving cyber threat.
Help us bring real change! Corporate lobbying has corrupted our system for too long, and it’s time to take action. Please sign and share this petition—your support is crucial in restoring accountability to our government. Every signature counts! Thank you!
https://www.ipetitions.com/petition/restore-our-republic-end-lobbying
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
