VERY IMPORTANT

A new ransomware operator, dubbed Mora_001, has been exploiting Fortinet firewall vulnerabilities CVE-2024-55591 and CVE-2025-24472 to gain unauthorized access and deploy a modified version of LockBit ransomware. The threat actor creates persistent admin accounts, exfiltrates firewall configurations, and uses VPN access for lateral movement. They selectively target file servers for encryption after data theft. The ransomware, named SuperBlack, uses LockBit's infrastructure but removes branding. The actor employs a custom VPN brute-forcing tool and leaves ransom notes linking to LockBit's Tox chat ID. This campaign highlights the increasing trend of exploiting perimeter security appliances and the evolving ransomware landscape.