'Mora_001' ransomware gang exploiting Fortinet bug spotlighted by CISA in January

Two vulnerabilities impacting Fortinet products are being exploited by a new ransomware operation with ties to the LockBit ransomware group.

Multiple researchers last week spotlighted the exploitation of CVE-2024-55591 and CVE-2025-24472 by a new ransomware group called Mora_001. 

The Cybersecurity and Infrastructure Security Agency (CISA) gave all federal civilian agencies one week to patch CVE-2024-55591 in January — one of the shortest deadlines it has ever issued — and Fortinet said in an advisory that the bug was being exploited in the wild and later added CVE-2025-24472 to the same advisory. 

Cybersecurity firm Forescout Research published a report Wednesday that said between late January and March, their researchers identified a series of intrusions that began with the exploitation of the bugs — which impact Fortigate firewall appliances — and culminated in the deployment of a newly discovered ransomware strain they dubbed SuperBlack.

The strain is being deployed by Mora_001, which Forescout said “blends elements of opportunistic attacks with ties to the LockBit ecosystem.”

LockBit was one of the most devastating ransomware gangs before an international law enforcement operation shuttered many of the tools and systems the operators used. Forescout Research said Mora_001 “leveraged the leaked LockBit builder, modifying the ransom note structure by removing LockBit branding, and employing their own exfiltration tool.”

The ransom note has clues that led incident responders to believe Mora_001 is likely a current LockBit affiliate with unique methods, or an associate of the group that is simply sharing communication channels with LockBit. 

“The ransomware strain observed in these incidents closely resembles LockBit 3.0 (LockBit Black). The primary differences lie in the ransom note left after encryption and a custom data exfiltration executable. Due to these modifications, we have designated this variant ‘SuperBlack’.”

Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf, told Recorded Future News that the group has been exploiting the Fortinet bugs since late January and confirmed that attacks began on February 2.

Fortinet’s patch should cover both vulnerabilities, Hostetler said, but he explained that the latest reports suggest that threat actors are going after the remaining organizations who were unable to apply the patch or harden their firewall configurations when the vulnerability was originally disclosed.

“The threat actor tied to the ransomware campaign described by Forescout appears to be using a familiar set of tools seen in past ransomware activity, while adapting their initial access techniques,” he said.

Fortinet did not respond to a request for comment.

According to Hostetler, numerous groups began creating their own ransomware when the LockBit 3.0 builder leaked in 2022 but the actor identified by Forescout has blended their activity with other tactics and ransom notes used by other groups like BlackCat/ALPHV. 

Arctic Wolf began observing the targeting of management interfaces on Fortinet FortiGate firewall devices on the public internet in early December. They continued to see targeting before Fortinet published the advisory identifying the zero day.