Giving the Raspberries is not very nice, but that’s what the Mora_001 group does. A new ransomware operation with ties to the LockBit ransomware group exploits two vulnerabilities impacting Fortinet products. Last week, multiple researchers spotlighted the exploitation of CVE-2024-55591 and CVE-2025-24472 by a new ransomware group called Mora_001. [1]
The Cybersecurity and Infrastructure Security Agency (CISA) gave all federal civilian agencies one week to patch CVE-2024-55591 in January, one of the shortest deadlines it has ever issued, and Fortinet said in an advisory that the bug was being exploited in the wild and later added CVE-2025-24472 to the same advisory. [2]
Cybersecurity firm Forescout Research published a report Wednesday stating that between late January and March, its researchers identified a series of intrusions that began with the exploitation of bugs that impactedFortigate firewall appliances and culminated in the deployment of a newly discovered ransomware strain they dubbed SuperBlack. The strain is being deployed by Mora_001, which Forescout said: “blends elements of opportunistic attacks with ties to the LockBit ecosystem.”
LockBit was one of the most devastating ransomware gangs before an international law enforcement operation shuttered many of the tools and systems the operators used. Forescout Research said Mora_001 “leveraged the leaked LockBit builder, modifying the ransom note structure by removing LockBit branding and employing their own exfiltration tool.”
The ransom note has clues that led incident responders to believe Mora_001 is likely a current LockBit affiliate with unique methods or an associate of the group that is simply sharing communication channels with LockBit. “The ransomware strain observed in these incidents closely resembles LockBit 3.0 (LockBit Black). The primary differences lie in the ransom note after encryption and a custom data exfiltration executable. Due to these modifications, we have designated this variant ‘SuperBlack’.”
Stefan Hostetler, Arctic Wolf's lead threat intelligence researcher, said the group has been exploiting the Fortinet bugs since late January and confirmed that attacks began on 2 February.
Hostetler said that Fortinet’s patch should cover both vulnerabilities. Still, he explained that the latest reports suggest threat actors are going after the remaining organizations who could not apply the patch or harden their firewall configurations when the vulnerability was initially disclosed. “The threat actor tied to the ransomware campaign described by Forescout appears to be using a familiar set of tools seen in past ransomware activity while adapting their initial access techniques,” he said. Fortinet did not respond to a request for comment.
According to Hostetler, numerous groups began creating their ransomware when the LockBit 3.0 builder leaked in 2022. However, the actor identified by Forescout has blended their activity with other tactics and ransom notes used by groups like BlackCat/ALPHV.
Arctic Wolf began observing the targeting of management interfaces on Fortinet FortiGate firewall devices on the public internet in early December. They continued to see targeting before Fortinet published the advisory identifying the zero-day.
Related Article: https://redskyalliance.org/xindustry/lockbit-ransomware-group-takedown
The emergence of Mora_001 has raised concerns among cybersecurity experts due to its sophisticated approach and trapped tactical evolution. This group's ability to adapt and integrate elements from established ransomware entities like LockBit and BlackCat demonstrates high technical proficiency and strategic planning. Their exploitation of Fortinet vulnerabilities underscores the persistent threat posed by zero-day exploits and the crucial need for timely patching and robust security measures.
As the cybersecurity community continues to monitor and analyze Mora_001's activities, organizations must be proactive in their defense strategies. This includes regular updates to security protocols, comprehensive threat intelligence sharing, and collaboration with cybersecurity firms to identify and mitigate potential risks. Integrating advanced detection tools and response frameworks will be essential in countering the sophisticated tactics employed by this and similar ransomware groups.
The ongoing efforts of researchers and agencies like Arctic Wolf and Forescout Research will play a pivotal role in uncovering the full extent of Mora_001's operations and developing effective countermeasures. By understanding the group's modus operandi and leveraging shared intelligence, the cybersecurity community can work towards neutralizing the threat and safeguarding critical infrastructure against future attacks.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1]Frequently occurring in the colloquial phrase to blow (or to give) a (or the) raspberry, the noun raspberry is used figuratively to denote a sound made by blowing with the tongue between the lips as an expression of mockery or contempt.
[2]https://therecord.media/mora001-ransomware-gang-exploiting-vulnerability-lockbit/
© 2025 Red Sky Alliance Corporation. All rights reserved.
Comments