The SuperBlack ransomware group has been exploiting vulnerabilities in Fortinet firewalls, specifically CVE-2024-55591 and CVE-2025-24472, to launch attacks. These vulnerabilities allow unauthenticated attackers to gain super-admin access on vulnerable FortiOS devices with exposed management interfaces. The attacks are attributed to a threat actor named Mora_001, which is linked to the LockBit ecosystem but operates independently. Mora_001 uses a modified version of the LockBit builder to create the SuperBlack ransomware, which includes a wiper component called WipeBlack to erase traces post-encryption. The group employs tactics such as creating local VPN user accounts and targeting high-value assets like servers and domain controllers. Separately, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued warnings about ransomware schemes, including phishing campaigns and double extortion models used by groups like Medusa. Medusa has targeted over 300 victims this year across industries such as medical, education, and technology. Victims can pay $10,000 in cryptocurrency to delay data release deadlines.