MORA_001

RANSOMWARE

MORA_001 is a ransomware group that has shown a preference for targeting critical infrastructure and enterprise networks, though specific industry sectors remain undisclosed due to the limited available data. The group's initial access method is unclear but likely involves exploiting vulnerabilities in network services or software applications, given their extensive correlation with CVEs. MORA_001 employs double extortion tactics, leveraging stolen data for additional leverage during negotiations, and uses sophisticated encryption methods to ensure that victim organizations face significant challenges in recovering their data without paying the ransom. What sets this group apart is its high reliance on unconfirmed but predicted critical vulnerabilities, indicating a proactive approach to identifying and exploiting zero-day or near-zero-day flaws.

The technical footprint of MORA_001 primarily revolves around critical remote code execution (RCE) vulnerabilities, which enable them to gain unauthorized access and deploy their ransomware payloads. The group's correlation with 12 CRITICAL CVEs suggests a high level of sophistication in identifying and potentially developing exploits for these flaws. Defenders should prioritize the timely patching of all known vulnerabilities, especially those categorized as critical or high severity, and implement robust network segmentation to limit lateral movement once an initial foothold is established. Additionally, continuous monitoring and logging of network activities can help detect anomalous behavior indicative of MORA_001's operations early on.

Predicted CVEs (17) CORRELATION

How does prediction work?

Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.

CVE-2026-21643 CRITICAL Fortinet FortiClientEMS predicted 9.8 CVE-2024-47575 CRITICAL Fortinet FortiManager predicted 9.8 CVE-2024-23113 CRITICAL Fortinet FortiSwitchManager predicted 9.8 CVE-2020-12812 CRITICAL Fortinet FortiOS predicted 9.8 CVE-2024-21762 CRITICAL Fortinet FortiProxy predicted 9.8 CVE-2022-42475 CRITICAL Fortinet FortiProxy predicted 9.8 CVE-2024-21762 CRITICAL Fortinet FortiProxy predicted 9.8 CVE-2025-32756 CRITICAL Fortinet FortiNDR predicted 9.8 CVE-2025-64446 CRITICAL Fortinet FortiWeb predicted 9.8 CVE-2025-25257 CRITICAL Fortinet FortiWeb predicted 9.8 CVE-2025-59718 CRITICAL Fortinet FortiSwitchManager predicted 9.8 CVE-2026-24858 CRITICAL Fortinet FortiOS predicted 9.8 CVE-2024-55591 CRITICAL Fortinet FortiOS medium 9.6 CVE-2024-55591 CRITICAL Fortinet FortiOS predicted 9.6 CVE-2026-35616 CRITICAL Fortinet FortiClientEMS predicted 9.1 CVE-2025-24472 HIGH Fortinet FortiProxy medium 8.1 CVE-2025-24472 HIGH Fortinet FortiProxy predicted 8.1