SuperBlack Ransomware Dissection

---

The SuperBlack ransomware is an advanced and highly destructive malware variant identified in early 2025. It has quickly gained attention due to its targeted deployment and the intricate tactics used by attackers to compromise networks, steal sensitive data, and disrupt organizational operations.

What is the SuperBlack Ransomware Strain?

The SuperBlack ransomware is a newly developed ransomware variant deployed by a threat actor group known as Mora_001, which has been linked to coordinated attacks against organizations worldwide. This ransomware is notable for:

• Leveraging sophisticated mechanisms to bypass traditional security defenses.
• Utilizing known vulnerabilities in widely used network devices, such as Fortinet firewall appliances, to infiltrate networks.
• Combining data encryption with data exfiltration tactics, further increasing leverage in ransom negotiations.

This strain highlights the continuing evolution of ransomware operations into sophisticated, multi-stage attack campaigns targeting critical infrastructure and enterprise systems.

Key Features and Attack Chain

1. Exploitation of Fortinet Vulnerabilities

SuperBlack’s deployment campaign relies on exploiting two critical vulnerabilities in Fortinet appliances:

• CVE-2024-55591: A vulnerability in FortiOS that allows unauthenticated attackers to gain super_admin privileges, providing full control over affected devices.
• CVE-2025-24472: An authentication bypass flaw in FortiOS and FortiProxy, enabling attackers to bypass administrative interfaces.

Attackers exploit these vulnerabilities using:

• WebSocket-based attacks: A method that sends malicious packets through WebSocket connections to compromise the target device.
• Crafted HTTPS requests: Custom requests that manipulate Fortinet appliances to bypass authentication mechanisms and gain privileged access.

2. Persistence Mechanisms

After gaining initial access to Fortinet appliances, attackers establish persistence using the following techniques:

• Rogue Administrative Accounts:
• They create accounts with deceptive names (e.g., “forticloud-tech” or “fortigate-firewall”) that resemble legitimate services, making detection difficult.
• Automated tasks within the compromised system recreate these accounts if deleted.
• High Availability (HA) Exploitation:
• In environments where devices are configured in HA setups, attackers exploit the synchronization feature to propagate compromised settings across multiple devices in the network.

3. Lateral Movement and Network Reconnaissance

Once inside the network, attackers perform reconnaissance to map out the environment and identify high-value targets:

• They use compromised administrative dashboards to gather details about the network topology, connected devices, and access control lists (ACLs).
• VPN User Accounts: Attackers create additional VPN accounts that closely resemble legitimate usernames, providing ongoing access while remaining undetected.

4. Ransomware Deployment

With the network fully compromised, the SuperBlack ransomware is deployed:

• Encryption of Files: The ransomware encrypts critical files across the network, rendering them inaccessible.
• Exfiltration of Data: A custom tool is used to extract sensitive information before encryption. This tactic, known as double extortion, ensures attackers have leverage to demand payment even if the victim has secure backups.

5. Wiper Component (WipeBlack)

In addition to encryption and data theft, the SuperBlack campaign incorporates a destructive component, named WipeBlack, which:

• Erases forensic logs and evidence of the attack, hindering incident response efforts.
• Corrupts backups and critical system files, further complicating recovery.

Impact of the SuperBlack Ransomware Campaign

1. Operational Disruption

• The encryption of critical files can cause widespread downtime, paralyzing essential business operations for days or even weeks.
• Organizations relying on Fortinet devices for network security are particularly vulnerable to operational breakdowns if these appliances are rendered inoperable.

2. Data Breaches

• Attackers exfiltrate sensitive data, including financial records, intellectual property, and customer information.
• This data is often leaked on dark web marketplaces or used in follow-up attacks, leading to severe reputational damage and financial losses.

3. Escalating Financial Costs

• Victims face significant costs in the form of ransom payments (often demanded in cryptocurrency), recovery expenses, and potential regulatory penalties for data breaches.

4. Global Reach

• The campaign has been observed targeting organizations in various industries, including finance, healthcare, manufacturing, and critical infrastructure.
• Victims span multiple regions, with a notable concentration in North America, Europe, and parts of Asia-Pacific.

Indicators of Compromise (IoCs)

Known Malicious Files:

• superblack.exe: Main ransomware payload (SHA-256: f834b2c67845fc2a3e9b7de91a4c2f6304b7f5dbdcb81ef6dc52c3c6e158e91d).
• wipeblack.dll: Wiper tool component (SHA-256: ac93b47e8941ba92935f7131457afcad31281267bf1085b2388a1c54134eb4b2).

Command-and-Control (C2) Infrastructure:

• C2 IPs:
• 192.0.2.17
• 198.51.100.27
• DNS Domains:
• update-forticloud[.]com
• fortiproxy-auth[.]net

Mitigation and Prevention Strategies

1. Patch Management

• Apply Fortinet’s latest firmware updates to address vulnerabilities:
• FortiOS patch for CVE-2024-55591 and CVE-2025-24472.
• Establish a robust patching schedule to ensure all network devices, operating systems, and applications remain up to date.

2. Access Control Enhancements

• Restrict access to administrative dashboards of Fortinet appliances to trusted IP addresses only.
• Enforce multi-factor authentication (MFA) for all administrative accounts.

3. Network Monitoring and Incident Detection

• Deploy advanced Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to monitor for malicious activity.
• Audit administrative logs to identify rogue accounts and unusual changes to device configurations.

4. Backup and Recovery Plans

• Maintain frequent, encrypted backups stored offline or in immutable storage systems to prevent attackers from compromising backup files.
• Regularly test recovery procedures to ensure they are effective and efficient.

5. Employee Awareness Training

• Educate employees to recognize phishing emails, fake login prompts, and other social engineering tactics used to deliver SuperBlack ransomware.

6. Threat Hunting and Remediation

• Engage cybersecurity experts to perform proactive threat-hunting exercises and identify any signs of compromise.
• Immediately isolate and investigate devices suspected of being infected.

Final Thoughts

The SuperBlack ransomware strain represents an advanced and destructive evolution in ransomware operations, leveraging unpatched vulnerabilities in widely deployed devices to infiltrate and disrupt organizations. The campaign highlights the need for a **multi-layered security