SuperBlack Ransomware Targets Fortinet

Summary

The SuperBlack ransomware, linked to the LockBit group, exploits Fortinet vulnerabilities (CVE-2024-55591 and CVE-2025-24472) to gain unauthorized access. Attackers then deploy the ransomware, encrypting data and demanding payment. Forescout researchers have detailed the attack chain and recommend immediate patching of these vulnerabilities.

Explore the data solution with built-in protection against ransomware TrueNAS.

** Main Story**

Alright, let’s talk about this SuperBlack ransomware. It’s definitely been causing some headaches lately.

This new strain, linked to a threat actor we’re calling Mora_001, is hitting Fortinet firewalls hard. They’re exploiting CVE-2024-55591 and CVE-2025-24472—two pretty nasty vulnerabilities that basically hand over the keys to the kingdom, giving attackers ‘super_admin’ privileges. Can you imagine the damage someone could do with that kind of access?

SuperBlack: More Than Just a Copycat

So, SuperBlack is a variant of LockBit 3.0, or LockBit Black. The original LockBit source code got leaked back in 2022. However, it’s not just a straight-up copy. While it shares a lot of the same DNA, SuperBlack has stripped away all the LockBit branding, which makes attribution a bit trickier, doesn’t it? What’s more, it’s packing a custom data exfiltration tool that we haven’t seen in other LockBit variants. This is the scary part; they’re stealing your data before they encrypt it. Double extortion, as they say, is a really effective way of adding pressure. Imagine waking up one morning to find your company’s sensitive data splashed across the internet. That’s a PR nightmare, to say the least.

I remember one incident from a previous company I worked for, we had a similar ransomware attack. It wasn’t SuperBlack, thank goodness, but the feeling of helplessness when you realize your data is being held hostage… it’s not something you forget easily.

How They Get In: The Attack Chain

It all starts with exploiting those Fortinet vulnerabilities I mentioned earlier, either CVE-2024-55591 or CVE-2025-24472. These vulnerabilities are present in various versions of FortiOS and FortiProxy. Once they’re in, the attackers aren’t just content with a quick smash-and-grab. They establish persistence; meaning they want to make sure they can get back in later. They create new privileged accounts, often with names that sound legitimate, things like ‘forticloud-tech’, ‘fortigate-firewall’, even just ‘administrator’. There’s even evidence that at least one group created an account named ‘watchTowr’, which is probably them referencing the proof-of-concept exploit they used, and then deleted it. Cheeky, right?

Spreading the Infection: Lateral Movement

After they’ve got their foothold, they start scouting the network. They need to know where the good stuff is. Then, they create even more accounts, and use compromised VPN credentials to move laterally. They use Windows Management Instrumentation (WMIC) and SSH to bounce around to other systems. For firewalls with VPN capabilities, they create local user accounts that mirror legitimate ones, only they add a number at the end. This is a basic evasion tactic. For firewalls without VPN capabilities, they use high availability (HA) configuration propagation. They might even abuse authentication infrastructure like RADIUS to compromise other firewalls. Their targets? File servers, authentication servers, domain controllers, database servers… anything critical.

Once they’ve identified the core systems and positioned themselves strategically, they deploy that custom data exfiltration tool and then, boom, the SuperBlack ransomware gets unleashed. Data is encrypted and a ransom note is left. And just to be extra nasty, they often use a wiper tool called ‘WipeBlack’ to erase the ransomware executable, making forensics more difficult. Sneaky, huh?

LockBit’s Shadow: The Connections

Even though SuperBlack operates independently, there are definitely breadcrumbs pointing back to LockBit. The structural similarities in the ransomware code, the use of the same TOX ID in ransom notes, and the overlapping tactics all hint at some kind of relationship. It’s a reminder of how fluid the ransomware landscape is. Groups collaborate, share resources, splinter off… it’s a complex web, and staying on top of it is a constant battle.

Defense is Key: Protecting Your Organization

So, what can you do? If you’re using Fortinet devices, patching those CVE-2024-55591 and CVE-2025-24472 vulnerabilities is priority number one. Update to the latest versions of FortiOS and FortiProxy today. Limit access to management interfaces. Implement network segmentation. Keep an eye out for suspicious network activity. Review your system logs regularly for unauthorized changes. These are basics, but they are so important.

Oh, and of course, make sure you have up-to-date backups and a well-rehearsed incident response plan. If you don’t have one, now’s the time to create one. Trust me; you don’t want to be scrambling when the inevitable happens. Also, I can’t stress this enough – and this is going to sound like common sense – be sure to update your staff, and make sure that they are aware of suspicious emails and internet habits. Your staff can be your best line of defense if they are aware, and vigilant.

Look, the threat landscape is always changing. New vulnerabilities are discovered all the time, and new ransomware strains pop up every day. Staying informed and proactive is the only way to keep your systems secure. After all, isn’t that what we’re here for?