A newly publicized ransomware-as-a-service (RaaS) operation, GLOBAL GROUP, has emerged on the Ramp4u cybercrime forum, promising scalable, automated attacks and generous profit-sharing for affiliates.
While touted as a novel platform, forensic analysis reveals GLOBAL GROUP is not a new threat actor but rather a rebranding of the Mamona RIP and Black Lock ransomware families.
The group, led by the operator known as $$$, is capitalizing on its mature, battle-tested infrastructure by updating its marketing to attract a fresh pool of affiliates.
At the core of GLOBAL GROUP’s operation is a ransomware payload architected in Golang, facilitating cross-platform execution across Windows, Linux, and macOS a trend becoming increasingly prevalent in ransomware development.
Golang’s concurrency strengths enable efficient, simultaneous file encryption across systems, while its static linking bolsters evasion capabilities.
Critical to attribution, forensic analysts have identified the reuse of a distinct mutex string Global\Fxo16jmdgujs437 previously tied to Mamona RIP.
This mutex, embedded within the binary to enforce single-instance execution, establishes a clear continuation of codebase lineage rather than a break with the past.
Ransom Note Delivery
GLOBAL’s ransomware leverages the ChaCha20-Poly1305 encryption algorithm, providing robust confidentiality and integrity for encrypted files.
Each file receives a custom extension, set by affiliates, and often has filenames randomized to impede restoration.
The ransom note, hardcoded in the binary, is written directly to disk using a procedural logic that reveals moderate technical sophistication.
The note lures victims to a Tor-based leak site and a separate negotiation portal, evidencing the group’s adoption of modern double-extortion strategies.
The communication is marked by a coercive tone and includes a verification mechanism that allows victims to upload an encrypted file for “free” decryption, enhancing trust in the actor’s claims while raising the stakes for payment.
Infrastructure Weaknesses Expose OPSEC Lapses
Despite technical advancements, GLOBAL GROUP’s infrastructure displays notable operational security blunders.
Investigators traced the group’s backend by parsing leaked API metadata from the frontend JavaScript of their leak site.
Internal fields inadvertently revealed the real-world IP address 193.19.119.4 of their VPS provider, along with backend SSH credentials.
This infrastructure, hosted by Russian provider IpServer and previously linked to Mamona, further corroborates attribution to established actors repurposing their assets under a new name.
An affiliate-oriented ransomware builder lies at the heart of the GLOBAL operation, accessible via both desktop and mobile interfaces.
Affiliates can customize payloads with adjustable encryption logic, file extension choices, and toggles for advanced behaviors such as self-deletion, event log wiping, process termination, and file icon modification.
The modular design ensures only selected features are compiled into a given payload, optimizing binary size and evading detection.
The ransom negotiation portal incorporates an AI-driven chatbot that handles victim communication, reducing affiliate workload and enabling near-continuous negotiation coverage.
Analysts have witnessed demands reaching the million-dollar range alongside time-limited threats, typical of double-extortion campaigns.
Victims interact via a secure channel, sometimes with affiliates monitoring or directly participating in the negotiations.
GLOBAL GROUP’s initial access strategy is heavily reliant on broker partnerships, with actors purchasing or profit-sharing on network entry points sourced via compromised credentials, RDP access, and bespoke brute-force tools.
This reflects the broader service-oriented ransomware ecosystem, enabling rapid, large-scale deployment and maximizing affiliate appeal.
GLOBAL GROUP is less a new ransomware threat than a strategic continuation of established criminal operations, wrapped in refreshed branding and enhanced automation.
The persistence of unique code artifacts, infrastructure footprints, and control logic underscores the maturity of the platform and its operators, who continue to evolve their tactics while leveraging lessons from prior ransomware campaigns.
This rebranding signals an ongoing trend of operators repackaging proven playbooks to invigorate the affiliate marketplace and sustain large-scale, cross-platform ransomware activity.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
