Navigating the SuperBlack Ransomware Threat: Technical and Legal Considerations

The emergence of the SuperBlack ransomware group has added a new layer of complexity to the cybersecurity landscape. This group, potentially linked to the notorious LockBit operation, is exploiting vulnerabilities in Fortinet firewall appliances to gain unauthorized access to networks. As organizations grapple with the technical challenges posed by SuperBlack, they must also consider the legal implications of its ties to LockBit, particularly in light of recent U.S. sanctions.

Technical Overview of SuperBlack

SuperBlack, attributed by Forescout to the threat actor Mora_001, has been targeting vulnerabilities CVE-2025-24472 and CVE-2024-55591 in Fortinet devices. These vulnerabilities allow attackers to obtain super_admin privileges, facilitating lateral movement within victim networks. The group focuses on high-value targets such as authentication servers, database servers, and domain controllers, exfiltrating data before deploying ransomware. This modus operandi mirrors the tactics employed by LockBit, suggesting a shared operational framework.

Forescout Research’s Vedere Labs has identified several post-exploitation behaviors that align Mora_001 with LockBit, including overlapping IP addresses for command and control, rapid ransomware deployment, and the use of a leaked LockBit builder to customize ransomware operations. The presence of a TOX ID in SuperBlack’s ransom notes, previously associated with LockBit, further suggests a connection between the two groups.

Source: Forescout Technologies

Legal Implications of LockBit Ties

Over the past year, the U.S. Department of the Treasury has imposed sanctions on several individuals associated with the LockBit group. These sanctions block all property and interests in property of designated individuals within the U.S. or under the control of U.S. persons. This action may have significant implications for organizations that become victims of SuperBlack.

Under OFAC regulations, U.S. persons and entities are prohibited from engaging in transactions involving the property of sanctioned individuals or groups. This includes the payment of ransoms, which could inadvertently involve sanctioned parties if SuperBlack is linked to LockBit. Organizations that fail to comply with these regulations risk legal penalties and further sanctions.

To navigate these challenges, organizations must conduct thorough due diligence and consult legal counsel early in an incident lifecycle and before making any payments related to ransomware incidents. 

Balancing Technical and Legal Strategies

As the threat landscape evolves, organizations must adopt a comprehensive approach that addresses both technical and legal aspects of ransomware attacks. This includes implementing robust cybersecurity measures, maintaining incident response plans, and staying informed about regulatory developments.

To effectively mitigate the risks posed by SuperBlack, organizations should take immediate action by patching vulnerable Fortinet systems to address CVE-2025-24472 and CVE-2024-55591. Disabling external management access to firewalls and conducting regular audits of administrator accounts can prevent unauthorized access. Additionally, organizations should establish a comprehensive incident response plan that includes regular backups of critical data and simulations of ransomware scenarios to enhance preparedness.

Moreover, organizations should enhance their threat detection capabilities by enabling comprehensive logging and monitoring for unusual network activity, such as the creation of new admin accounts or data exfiltration attempts. Engaging with cybersecurity attorneys and experts for regular security assessments can also provide valuable insights into emerging threats.