- Security professionals see a new Lockbit variant in nature
- A possible affiliate abused two Fortinet failures to display the encrypper
- There are multiple overlap with Lockbit 3.0
Lockbit’s affiliates are using vulnerable Fortinet points to attack companies with an updated ransomware tension, experts warned.
Cybersecurity researchers in Foresocout discovered that the threat actor is using two vulnerabilities in Fortinet Firewalls, tracked as CVE-2024-55591 and CVE-2025-24472, to implement an updated ransomware strain called Superblack.
Both vulnerabilities had been used in the past before, and both were repaired in January 2025, so the best way to defend against attacks is to ensure that their Fortinet firewalls are updated.
At least three victims
Foresout appointed the group by running the “Mora_001” attacks. Since there are some overlays in their tactics, techniques and procedures (TTP) with Lockbit, researchers believe the group could be a Lockbit affiliate.
Apparently, Superblack is based on the builder that was used in Lockbit 3.0 attacks, and filtered in the past. In addition, the rescue note in the attacks of Lockbit and Mora_001 uses the same messaging address.
Talking with TechcrunchSenior threat hunting manager in Foresout, Sai Molige, said there were at least three confirmed cases, but added that “there could be others.”
Lockbit was one of the most harmful and influential ransomware groups, however, at the end of February 2024, it was beaten by the FBI, and never recovered completely. The police seized their website, the data that it had and obtained “thousands” of deciphered keys.
He also obtained information about his affiliates who, at that time, told about 200 groups, and then urged the affiliates to present themselves. In February of this year, the Bulletproof Accommodation Services provider, supposedly used by Lockbit, was sanctioned by the United States and the United Kingdom.
Lockbit took approximately one week to stand up and resume operations, but it is possible that many of its affiliates turned to other groups, such as Ransomhub or Medusa.
