Threat researchers have found links in the SuperBlack ransomware to LockBit 3.0, and patches have already been made available

Following a wave of attacks that began in January this year, a newly discovered ransomware group is under investigation for its suspected ties to LockBit.

The ransomware group has leveraged two Fortinet firewall vulnerabilities (CVE-2024-55591 and CVE-2025-24472) to gain access to target networks before deploying a new ransomware variant called SuperBlack.

CVE-2024-55591 had earlier been disclosed on 14 January, after threat actors had already been exploiting it in a large-scale campaign. When a proof-of-concept exploit surfaced online on 27 January, attackers had quickly begun using it to infiltrate systems. Once inside, attackers could escalate their privileges to super-admin level, create stealthy admin accounts, and blend into legitimate VPN user groups. If victims lacked VPN capabilities, they attempted to spread to other firewalls using compromised credentials.

The group’s methods for persistence vary. In high-availability (HA) deployments, they have used the HA sync process to replicate their backdoor accounts across connected firewalls. In environments using TACACS+ or RADIUS authentication, they have exploited the Network Policy Server (NPS) to validate their access.

Once attackers have secured their position, they explore FortiGate dashboards to identify high-value systems, primarily accessing file servers, domain controllers, and other critical infrastructure through SSH. They then execute a double extortion scheme — stealing sensitive data before encrypting it to pressure victims into paying a ransom.

Possible LockBit connections

The SuperBlack ransomware payload appears to be based on LockBit 3.0 (aka LockBit Black), which was leaked in 2022. Many cybercriminals have since repurposed and modified the leaked code.

For example, the new ransomware group has customized the ransom note, stripped out the LockBit branding, and developed a unique data exfiltration tool.

Researchers from Forescout have also found signs linking the new ransomware threat actors to LockBit, through their similar post-exploitation tactics and similar ransom note containing a qTox ID previously associated with LockBit. The presence of this ID suggests either a direct affiliation or shared communication channels between the two groups. Further analysis of the ID has led to other malware samples containing data-wiping features linked to past BlackMatter and BrainCipher attacks.

Unpatched firewalls still at risk

According to some sources, asof mid-March 2025, India and the US had the highest numbers of internet-exposed Fortinet firewalls that have remained unpatched.

To mitigate risk, organizations are urged to apply security patches, audit admin and VPN accounts for unauthorized users, and disable external firewall management access.