Hackers Exploit Fortinet Firewall Bugs to Deploy Ransomware

 

Cybersecurity researchers have uncovered a new attack campaign in which hackers are exploiting vulnerabilities in Fortinet firewalls to breach corporate networks and deploy ransomware. The hacking group, tracked as “Mora_001,” is leveraging two specific flaws in Fortinet’s firewall software to infiltrate systems and launch a custom ransomware strain called “SuperBlack.” 

These vulnerabilities, tracked as CVE-2024-55591 and CVE-2025-24472, have been actively exploited since December 2024, despite Fortinet releasing patches in January 2025. Many organizations have yet to apply these critical updates, leaving their networks vulnerable. Once inside a network, the attackers conduct reconnaissance to identify valuable data before deploying ransomware. Instead of immediately encrypting files, they first exfiltrate sensitive information, a tactic that has become increasingly common among ransomware groups seeking to pressure victims into paying a ransom to prevent data leaks. 

Security researchers at Forescout observed that the Mora_001 group selectively encrypted file servers only after stealing critical data, making their attacks more damaging and difficult to recover from. There is strong evidence linking Mora_001 to the notorious LockBit ransomware gang. The SuperBlack ransomware strain appears to be based on a leaked builder from LockBit 3.0 attacks, and the ransom notes left by Mora_001 include the same contact details previously used by LockBit affiliates. This suggests that Mora_001 may be a current LockBit affiliate with distinct operational methods or a separate group that shares infrastructure and communication channels. 

Cybersecurity experts believe that Mora_001 is primarily targeting organizations that have not yet applied Fortinet’s security patches. Companies that failed to update their firewalls or properly harden their network configurations when the vulnerabilities were first disclosed are at the highest risk. The ransom notes used in these attacks also bear similarities to those used by other cybercriminal groups, such as the now-defunct ALPHV/BlackCat ransomware gang, further indicating connections within the ransomware ecosystem. 

Despite Fortinet releasing fixes for the affected vulnerabilities, unpatched systems remain an easy target for attackers. Security professionals are urging organizations to update their firewalls immediately and implement additional security measures to prevent unauthorized access. Best practices include applying all available patches, segmenting networks to restrict access to critical systems, monitoring for suspicious activity using endpoint detection and response tools, and maintaining secure offline backups. Organizations that fail to take these precautions risk falling victim to sophisticated ransomware attacks that can result in severe financial and operational damage.