In June 2025, a new ransomware entity known as GLOBAL GROUP surfaced on the Ramp4u cybercrime forum. Operated by an individual using the alias $$$, this group introduced itself as a cutting-edge Ransomware-as-a-Service (RaaS) platform, offering affiliates scalable operations, automated negotiations, cross-platform payloads, and attractive profit-sharing arrangements. ([picussecurity.com](https://www.picussecurity.com/resource/blog/tracking-global-group-ransomware-from-mamona-to-market-scale?utm_source=openai))
Technical Analysis and Code Reuse
Despite its presentation as a novel threat, forensic investigations have revealed that GLOBAL GROUP is a rebranded continuation of previous ransomware families, notably Mamona RIP and Black Lock. ([picussecurity.com](https://www.picussecurity.com/resource/blog/tracking-global-group-ransomware-from-mamona-to-market-scale?utm_source=openai))
A key indicator of this lineage is the reuse of a specific mutex string, Global\Fxo16jmdgujs437, within the ransomware’s code. This mutex, designed to prevent multiple simultaneous executions of the ransomware process, was previously identified in Mamona RIP samples, indicating direct codebase inheritance. ([picussecurity.com](https://www.picussecurity.com/resource/blog/tracking-global-group-ransomware-from-mamona-to-market-scale?utm_source=openai))
Payload Architecture and Encryption Techniques
GLOBAL GROUP’s ransomware is developed using the Go programming language, resulting in monolithic binaries capable of executing across Windows, Linux, and macOS environments. This cross-platform capability allows the ransomware to target diverse IT infrastructures within a single campaign, enhancing its reach and effectiveness. ([picussecurity.com](https://www.picussecurity.com/resource/blog/tracking-global-group-ransomware-from-mamona-to-market-scale?utm_source=openai))
The ransomware employs the ChaCha20-Poly1305 encryption algorithm, a modern choice that ensures both data confidentiality and integrity. Utilizing Go’s concurrency features, the malware encrypts files across all available drives simultaneously, significantly reducing the time required to lock down victim systems. Each encrypted file receives a custom extension defined by the affiliate, and filenames are often encrypted to further complicate recovery efforts. ([picussecurity.com](https://www.picussecurity.com/resource/blog/tracking-global-group-ransomware-from-mamona-to-market-scale?utm_source=openai))
Ransom Note Construction and Delivery
The ransom note is hardcoded directly into the binary and is written to the victim’s file system upon execution. Analysis of the decompiled code reveals the following embedded message:
“`
GLOBAL
YOUR FILES HAVE BEEN STOLEN AND ENCRYPTED
visit this tor link
http://vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id.onion/
and contact
“`
This message directs victims to a Tor-based leak site where they can verify the compromise and initiate ransom negotiations. The use of embedded constants and specific function calls reflects a moderate level of sophistication in the malware’s design. ([picussecurity.com](https://www.picussecurity.com/resource/blog/tracking-global-group-ransomware-from-mamona-to-market-scale?utm_source=openai))
Operational Tactics and AI-Driven Negotiations
GLOBAL GROUP distinguishes itself through the integration of an AI-powered negotiation system within its operations. This automated system facilitates victim communications, enabling non-English-speaking affiliates to engage effectively in ransom negotiations and demand substantial payments, often reaching seven-figure sums. ([cybernoz.com](https://cybernoz.com/global-group-raas-operators-enable-ai-driven-negotiation-functionality/?utm_source=openai))
The group offers an 85% revenue-sharing model to attract affiliates, positioning itself competitively within the RaaS marketplace. A promotional video on their leak site showcases a comprehensive affiliate panel that supports mobile device management, allowing operatives to conduct negotiations via smartphones. ([cybernoz.com](https://cybernoz.com/global-group-raas-operators-enable-ai-driven-negotiation-functionality/?utm_source=openai))
Infrastructure and Initial Access Strategies
GLOBAL GROUP’s infrastructure has been linked to previous operations, with hosting services provided by a Russian VPS provider. An operational security lapse exposed this infrastructure when the group’s API endpoint leaked metadata containing real hosting environment details. ([cybernoz.com](https://cybernoz.com/global-group-raas-operators-enable-ai-driven-negotiation-functionality/?utm_source=openai))
The group collaborates with Initial Access Brokers (IABs) to infiltrate enterprise networks. For instance, communications between $$$ and an IAB known as HuanEbashes revealed offers of RDP access to a U.S. law firm and the promotion of VPN brute-forcing tools targeting various systems. These tools enable affiliates to bypass endpoint defenses by acquiring valid credentials and exploiting perimeter devices, often leading to full domain compromise and ransomware deployment. ([cyberinsider.com](https://cyberinsider.com/new-ransomware-operation-global-group-launches-with-ai-negotiators/?utm_source=openai))
Implications and Defensive Measures
The emergence of GLOBAL GROUP underscores the evolving sophistication of ransomware operations, particularly the adoption of cross-platform capabilities and AI-driven negotiations. Organizations must enhance their cybersecurity posture by implementing comprehensive defense strategies, including:
– Regularly updating and patching systems to mitigate vulnerabilities.
– Employing robust endpoint detection and response (EDR) solutions.
– Conducting continuous monitoring for unusual network activities.
– Educating employees on recognizing phishing attempts and other common attack vectors.
By adopting a proactive and layered security approach, organizations can better defend against the multifaceted threats posed by groups like GLOBAL GROUP.
