- Safety pros a new lockbit variant in nature
- A potential affiliate has abused two Fortinet defects to deploy the enclrice
- There are several overlaps with Lockbit 3.0
Lockbit affiliates use Vulnerable Fortinet termination points to target companies with an updated ransomware strain, experts warned.
Forescout’s cybersecurity researchers discovered that the threat actor uses two vulnerabilities in Fortinet firewalls, followed like CVE-2024-55591, and CVE-2025-24472, to deploy a ransomware stump updated named Superblack.
The two vulnerabilities had been used in the past before, and the two were corrected in January 2025 – so the best way to defend yourself against attacks is to ensure that your Fortinet firewalls are up to date.
At least three victims
Forescout appointed the group performing the “Mora_001” attacks. Since there are a few overlaps in its tactics, techniques and procedures (TTP) with Lockbit, the researchers think that the group could be an affiliate of Lockbit.
Apparently Superblack is based on the manufacturer that has been used in Lockbit 3.0 attacks and fled in the past. In addition, the ransom note in Lockbit and Mora_001 attacks uses the same messaging address.
Talk to TechcrunchThe main director of threat hunting in Forescout, Sai Molige, said that there were at least three confirmed cases, but added that “there could be others”.
Lockbit was one of the most disruptive and influential ransomware groups in the world, however, at the end of February 2024, he was struck by the FBI, and he never completely restored. The police have entered its website, the data it has held and obtained “thousands” of decryption keys.
He also obtained information on his affiliates who, at the time, had around 200 groups, and then urged the affiliates to manifest themselves. In February of this year, the bullet-proof service service provider, which was used by Lockbit, was sanctioned by the United States and the United Kingdom.
Lockbit took approximately a week to get back on their feet and resume operations, but it is possible that many of his affiliates rotate other groups, such as Ransomhub or Medusa.
