SuperBlack Ransomware

Cyber threats are evolving rapidly, with ransomware remaining one of the most devastating forms of attack. A single infection can result in financial losses, operational downtime, and exposure of sensitive information. The SuperBlack Ransomware is a recent and sophisticated strain suspected to be based on the LockBit 3.0. It encrypts victims' files, demands a ransom, and threatens to leak misappropriated data. Understanding its methods and applying strong cybersecurity measures is crucial to preventing and mitigating such attacks.

The SuperBlack Ransomware: How It Works

SuperBlack is designed to encrypt files and make them inaccessible to victims. Unlike conventional ransomware strains that use fixed extensions, SuperBlack appends a random character string to filenames. For example:

• 1.png → 1.png.fB1SZ2i3X

Once the encryption process is complete, SuperBlack makes further modifications:

• The desktop wallpaper is changed to a ransom warning.
• A ransom note is dropped with a random filename following the pattern '[random_string].README.txt.'

Data Theft and Extortion

SuperBlack is not just about encryption—it also incorporates double extortion tactics. The attackers claim they have stolen sensitive data, including:

• Network information
• Manufacturing data
• Financial records (bills, budgets, annual reports, etc.)
• Employee and client details

Victims are warned that refusal to pay the ransom will result in their data being leaked. To add pressure, the attackers offer to provide proof of the data theft and decrypt a single file as a demonstration of their capabilities.

Attribution: The 'Mora_001' Threat Actor

The SuperBlack Ransomware was deployed in January–March 2025 campaigns by a Russian-speaking threat actor known as 'Mora_001.' The malware has been observed using Tox IDs linked to the LockBit Ransomware, though its infrastructure appears independent. While its exact relationship with LockBit is unclear, SuperBlack exhibits notable similarities to its predecessor.

Attack Vector: How SuperBlack Infects Systems

The SuperBlack Ransomware infections have been linked to Fortinet firewall vulnerabilities. The attack typically unfolds in multiple stages:

• Initial Access: Attackers exploit security flaws in Fortinet firewall devices.
• Privilege Escalation: They gain higher permissions within the system.
• Persistence Mechanisms: The malware ensures it remains active even after reboots.
• Lateral Movement: The infection spreads across the network, targeting multiple devices.
• Data Exfiltration: Sensitive data is collected before the encryption process begins.
• File Encryption: The final step involves locking files and demanding a ransom.

Why Paying the Ransom is not Recommended

Victims of the SuperBlack Ransomware may feel compelled to pay in hopes of recovering their encrypted files, but doing so carries significant risks. There is no certainty that cybercriminals will provide the necessary decryption tool even after receiving payment, leaving victims without access to their data despite complying with the demands. Moreover, paying a ransom only fuels further ransomware campaigns, encouraging attackers to continue targeting individuals and organizations.

Another primary concern is the possibility of double extortion, where cybercriminals demand additional payments even after the initial ransom has been paid. In some cases, victims may find themselves trapped in an ongoing cycle of extortion with no resolution. Even if decryption tools are provided, there is no guarantee that the ransomware has been completely removed from the system. Lingering malware can reinfect files, causing further damage and prolonging the security crisis. Given these risks, paying the ransom is not a reliable or advisable solution.

How to Protect Your Devices from the SuperBlack Ransomware

To mitigate the possibility of infection and potential damage, follow these essential cybersecurity best practices:

1. Keep Backups of Critical Data: Maintain offline and cloud backups that are inaccessible to ransomware. Use versioned backups to restore files from a point before infection.
2. Regularly Update Software and Operating Systems: Patch Fortinet firewalls and other network devices to close known vulnerabilities. Enable automatic updates for operating systems, security software, and applications.
3. Use Strong Endpoint Security Solutions: Deploy advanced anti-malware tools with real-time protection. Utilize Endpoint Detection and Response (EDR) solutions for threat monitoring.
4. Implement Network Security Measures: Configure firewalls and intrusion detection systems (IDS) to block suspicious activity. Restrict Remote Desktop Protocol (RDP) access and use multi-factor authentication (MFA).
5. Beware of Phishing Attacks: Avoid clicking on links or downloading attachments from unknown or suspicious emails. Train employees to recognize phishing scams and report them.
6. Restrict Administrative Privileges: Apply the Principle of Least Privilege (PoLP) to limit user access. Disable macro execution in Microsoft Office and prevent unauthorized script execution.
7. Disable Unnecessary Services and Ports: Close unused network ports to reduce exposure to external threats.: Remove outdated or unused remote access tools that could be exploited.
8. Use Application Whitelisting and Sandboxing: Restrict execution to approved applications to prevent ransomware from running. Execute suspicious files in an isolated environment before allowing them on the system.

Conclusion: Staying Ahead of Ransomware Threats

The SuperBlack Ransomware represents a threatening evolution of modern cyber threats, combining data encryption and extortion tactics. Organizations and individuals must apply proactive steps to safeguard their systems. By implementing strong security measures, staying updated on emerging threats, and maintaining secure backups, the chances of being prey to ransomware attacks can be significantly reduced. Cybersecurity is an ongoing process—prevention is always better than reaction.

SuperBlack Ransomware Video

Tip: Turn your sound ON and watch the video in Full Screen mode.