SuperBlack Ransomware: Another Threat To Avoid

Understanding SuperBlack Ransomware

SuperBlack is a ransomware variant believed to be derived from the LockBit 3.0 ransomware family. This infection encrypts files and demands a ransom for their decryption, leaving victims with little to no options for file recovery unless they have backups. Upon infection, SuperBlack renames files by appending a random string to their original names. For instance, a file named "document.pdf" may become "document.pdf.fB1SZ2i3X."

In addition to encrypting data, SuperBlack modifies the victim's desktop wallpaper and drops a ransom note titled with a randomly generated string (e.g., "[random_string].README.txt"). The ransom note instructs the victim on how to contact the attackers and warns against using third-party recovery tools, claiming they may permanently damage the encrypted files.

Here's what the ransom note says:

>>>> Your data are stolen and encrypted!

>>>> Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Your competitors or law enforcement may get them on the web.

Data includes:
- Employees personal data, CVs, DL, SSN.
- Complete network map including credentials for local and remote services.
- Financial information including clients data, bills, budgets, annual reports, bank statements.
- Complete datagrams/schemas/drawings for manufacturing in solidworks format
- And more...

You can request the tree of files that we have.

>>>> You need contact us and decrypt one file for free, send a small file for test decryption with your personal DECRYPTION ID to tox chat:

>>>> Your personal DECRYPTION ID: 7FBC34A4128F7B75E19B7F2A4E1938A0

1)Download and install TOX chat: hxxps://tox.chat
2)Write to this tox id: DED25DCB2AAAF65A05BEA584A0D1BB1D55DD 2D8BB4185FA39B5175C60C8DDD0C0A7F8A8EC815 and wait for the answer, we will always answer you.

>>>> DO NOT MODIFY FILES YOURSELF.
>>>> DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.
>>>> YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.
>>>> YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY.

The Tactics and Goals of SuperBlack Ransomware

SuperBlack is primarily used by a cybercriminal group known as "Mora_001," a suspected Russian-speaking threat actor. This ransomware campaign was most active between January and March 2025. The group infiltrates victims' systems, encrypting their files and stealing sensitive data. The stolen information includes network details, financial records, manufacturing data, and personal information of employees and clients.

The ransom note states that if the victim refuses to comply, the attackers will leak the stolen data online. To further pressure their victims, the attackers offer to prove the data exfiltration by providing a sample and demonstrating the decryption of one encrypted file. This tactic plays on fear and urgency, increasing the likelihood of victims giving in to the ransom demands.

SuperBlack’s Connection to LockBit Ransomware

Evidence suggests that SuperBlack shares similarities with LockBit ransomware, particularly in its code structure and encryption techniques. Additionally, SuperBlack has been observed using Tox IDs (anonymous messaging identifiers) previously associated with LockBit operators. However, SuperBlack does not use LockBit's infrastructure, indicating that while the two ransomware strains may be connected, they are distinct entities with separate operations.

Unlike highly targeted attacks, SuperBlack campaigns are opportunistic, meaning they exploit vulnerable systems without specific targeting. Attackers have been known to abuse security weaknesses in Fortinet firewalls to gain initial access, after which they escalate privileges, establish persistence, and move laterally across the network. The final stage of the attack culminates in data exfiltration followed by file encryption.

What Happens If You Are Infected?

For most ransomware attacks, decryption without the attacker's cooperation is nearly impossible. Cybercriminals use advanced encryption techniques, making it challenging for security experts to develop decryption tools. SuperBlack is no exception. Victims who do not have backups often face permanent data loss.

Even if victims pay the ransom, no one can be sure they will receive a decryption key. Many cybercriminal groups fail to provide the necessary tools even after payment and paying only funds further criminal activities. Security experts strongly discourage paying the ransom and instead recommend removing the malware and attempting data recovery from backups.

How Ransomware Spreads

Ransomware like SuperBlack spreads through various attack vectors. Some of the most common methods include:

• Phishing Emails: Attackers use fraudulent emails containing malicious links or attachments that execute the ransomware.
• Exploiting Software Vulnerabilities: Hackers take advantage of outdated or unpatched software, such as firewall weaknesses, to gain access.
• Drive-By Downloads: Users unknowingly download ransomware by visiting compromised websites or clicking on malicious ads.
• Trojan Downloaders: Some malware programs install ransomware as a secondary payload without the user's knowledge.
• Pirated Software and Cracks: Illegal software downloads often contain hidden malware, including ransomware.
• Removable Media and Network Propagation: Ransomware can spread via USB drives, external hard drives, and even through local networks.

Protecting Yourself Against SuperBlack Ransomware

Preventing ransomware infections requires a combination of proactive security measures and user awareness. Here are some best practices to protect against SuperBlack and similar threats:

• Keep Backups in Multiple Locations: Regularly back up important data to external drives, cloud storage, and offline storage to ensure recoverability.
• Use Strong Security Solutions: Install and maintain up-to-date antivirus and anti-malware tools to detect and block threats.
• Update Software Regularly: Patch vulnerabilities in your operating system, firewalls, and other software to reduce attack risks.
• Be Wary of Emails and Links: Avoid opening attachments or clicking links from unknown senders, as they may contain ransomware.
• Download Software from Trusted Sources: Use only official websites and reputable app stores for software and updates.
• Restrict Administrative Privileges: Limit user permissions to prevent unauthorized changes to system files.
• Use Multi-Factor Authentication (MFA): Strengthen security by requiring multiple authentication steps for sensitive accounts.

What to Do If You Are Infected

If your system is compromised by SuperBlack ransomware, take the following steps immediately:

1. Disconnect from the Network: Isolate the infected system to prevent the ransomware from spreading to other devices.
2. Do Not Pay the Ransom: Paying does not guarantee file recovery and may encourage further attacks.
3. Remove the Malware: Use security software to scan for and eliminate the ransomware.
4. Attempt Data Recovery: Restore files from backups if available. Check online security resources for potential decryption tools.
5. Report the Attack: Notify law enforcement and cybersecurity agencies to help track the threat actors.

Key Takes

SuperBlack ransomware is a sophisticated and dangerous malware that encrypts files and threatens to leak stolen data if the victim does not comply with ransom demands. While it shares some similarities with LockBit ransomware, it operates independently, using its own infrastructure and methodologies.

Victims should never pay the ransom, as doing so supports criminal activity and does not guarantee data recovery. Instead, they should focus on removing the malware, strengthening security measures, and maintaining regular backups. By staying informed and practicing cybersecurity best practices, users can reduce the risk of ransomware attacks like SuperBlack.

How To Stop & Remove SuperBlack Ransomware To Prevent File Encryption