Security researchers have observed hackers linked to the notorious LockBit gang exploiting a pair of Fortinet firewall vulnerabilities to deploy ransomware on several company networks.
In a report published last week, security researchers at Forescout Research said a group it’s tracking dubbed “Mora_001” is exploiting the Fortinet firewalls, which sit on the edge of a company’s network and act as digital gatekeepers, to break in and deploy a custom ransomware strain they call “SuperBlack.”
One of the vulnerabilities, tracked as CVE-2024-55591, has been exploited in cyberattacks to breach the corporate networks of Fortinet customers since December 2024. Forescout says a second bug, tracked as CVE-2025-24472, is also being exploited by Mora_001 in attacks. Fortinet released patches for both bugs in January.
Sai Molige, senior manager of threat hunting at Forescout, told TechCrunch that the cybersecurity firm has “investigated three events in different companies, but we believe there could be others.”
In one confirmed intrusion, Forescout said it observed the attacker “selectively” encrypting file servers containing sensitive data.
“The encryption was initiated only after data exfiltration, aligning with recent trends among ransomware operators who prioritize data theft over pure disruption,” said Molige.
Forescout says the Mora_001 threat actor “exhibits a distinct operational signature,” which the firm says has “close ties” to the LockBit ransomware gang, which was last year disrupted by U.S. authorities. Molige said the SuperBlack ransomware is based on the leaked builder behind the malware used in LockBit 3.0 attacks, while a ransom note used by Mora_001 includes the same messaging address used by LockBit.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
“This connection could indicate that Mora_001 is either a current affiliate with unique operational methods or an associate group sharing communication channels,” Molige said.
Stefan Hostetler, head of threat intelligence at cybersecurity firm Arctic Wolf, which previously observed exploitation of CVE-2024-55591, tells TechCrunch that Forescout’s findings suggest hackers are “going after the remaining organizations who were unable to apply the patch or harden their firewall configurations when the vulnerability was originally disclosed.”
Hostetler says the ransom note used in these attacks bears similarities to that of other groups, such as the now-defunct ALPHV/BlackCat ransomware gang.
Fortinet did not respond to TechCrunch’s questions.
