Mora_001 is a new ransomware group that has started exploiting known vulnerabilities in Fortinet security applications.

One of the exploited vulnerabilities set a record when the Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal civilian agencies to patch it within a week of it appearing in CISA’s Known Exploited Vulnerabilities catalog. Likely because at the time of disclosure, researchers were already aware of an ongoing large exploitation campaign against the vendor’s firewalls.

Mora_001 uses SuperBlack encryption, which is a ransomware variant built from the leaked LockBit 3.0 builder with a custom encryption tool. A few months after the LockBit gang released version 3.0 of its ransomware, LockBit 3.0 Black, the builder for it was leaked by what was assumed to be a disgruntled developer.

Since the ransom notes of this new operator also use the same ID for the qTox chat app, this suggests strong ties between the dissolved LockBit group and the new Mora_001 group. qTox is a chat, voice, video, and file transfer instant messaging client using the encrypted peer-to-peer Tox protocol.

Tox IDs are strings of 76 hexadecimal characters, generated when a user creates a Tox profile. These IDs are used for adding contacts. Using the same Tox ID indicates that either some of the ransomware group, or an affiliate of the group, was part of the LockBit operation before it went down.

For the time being, the new group follows a rather strict attack scenario.

The attack starts against exposed Fortigate firewalls vulnerable to CVE-2024-55591 and CVE-2025-24472. Both these authentication bypasses can be used to gain super-admin privileges on the vulnerable devices.

By occasionally using the username “watchTowr” it became clear which Proof-of-Concept (PoC) the intruders deployed. It only took them about four days to turn it into a working attack tool.

With super-admin powers in hand, the attacker creates new administrator accounts. Known names to be used are forticloud-tech, fortigate-firewall, and administrator. As a backup they create or modify automation tasks to recreate those administrator accounts in case they get removed.

After creating local administrator accounts, the threat actors download the firewall configuration file, which contains critical information such as policies, routes, keys and VPN configurations.

Using stolen and newly created VPN accounts, the attackers map out the affected network and initiate the first lateral movement attempts using WMI and SSH. The newly created VPN user accounts will have names resembling legitimate accounts but with an added digit at the end.

At that point, the data theft is set in motion, so the group can use the tried and tested double extortion method by stealing data and encrypting machines. In documented cases the attacker selectively encrypted file servers containing sensitive data.

For now, Mora_001 is very focussed on one method of attack, but its future will depend on whether it can find other attack methods when this one dries up.

Mitigation

Patches for the two Fortinet vulnerabilities in use have been available since February 11, 2025. ThreatDown Patch Management can help you fix known software vulnerabilities before criminals exploit them.