Tracking GLOBAL GROUP Ransomware from Mamona to Market Scale

SUMMARY :

A new ransomware actor, GLOBAL GROUP, emerged on the Ramp4u cybercrime forum in June 2025, claiming to offer a fresh Ransomware-as-a-Service (RaaS) platform. However, forensic evidence reveals that GLOBAL is a rebranded continuation of the Mamona RIP and Black Lock ransomware families. The ransomware, built in Golang, supports cross-platform execution and uses ChaCha20-Poly1305 encryption. It features a dual-portal model for leak site viewing and negotiations, with an AI-powered chatbot for automated communication. The group's infrastructure mistakes exposed backend SSH credentials and real IP addresses. GLOBAL relies on Initial Access Brokers for network infiltration and offers a full-featured affiliate portal for custom payload generation.

OPENCTI LABELS :

ransomware,tor,golang,raas,cross-platform,initial access brokers,black lock,chacha20-poly1305,mamona rip,global group,ai chatbot


AI COMMENTARY :

1. Introduction: In June 2025 security researchers observed the sudden appearance of a ransomware actor self-branded as GLOBAL GROUP on the Tor-hosted Ramp4u cybercrime forum. Positioned as a next-generation RaaS platform, this group rapidly gained attention by claiming novel capabilities and an automated negotiation portal powered by an AI chatbot. The rapid escalation of GLOBAL GROUP activities prompted deeper analysis into its lineage and real-world impact on organizations worldwide.

2. Evolution from Mamona RIP and Black Lock: Forensic examination of sample binaries revealed clear code overlaps between GLOBAL GROUP’s Golang-built payloads and those once attributed to the Mamona RIP and Black Lock families. Byte-level similarities, shared encryption routines, and reused configuration templates demonstrated that GLOBAL GROUP represents a strategic rebranding rather than a wholly new threat. This transformation enabled veteran operators to capitalize on existing affiliate networks and resume attacks under a fresh banner.

3. Technical Innovations and Cross-Platform Design: GLOBAL GROUP’s choice of Golang ensures seamless cross-platform execution across Windows, Linux and macOS environments. The integration of ChaCha20-Poly1305 encryption offers strong confidentiality and authentication while minimizing performance overhead. Attackers leverage Tor to conceal C2 communications, obfuscate payload delivery and host leak sites, reinforcing the resilient, stealthy posture of the ransomware infrastructure.

4. Dual-Portal Model and AI Chatbot Negotiations: A distinctive dual-portal model underpins GLOBAL GROUP’s operations: one portal for public leak site viewing and another for private negotiation. Victims can interact with an AI-driven chatbot that automates initial demands, provides real-time decryption cost estimates and facilitates ransom transactions in cryptocurrency. This level of automation reduces human error for affiliates and accelerates the extortion lifecycle.

5. Infrastructure Mistakes and Exposure: Despite sophisticated design, operational security lapses by GLOBAL GROUP exposed backend SSH credentials and real IP addresses. Misconfigured servers and inadequate segregation between test and production environments allowed threat hunters to trace key nodes in the affiliate portal and identify hosting providers. Such slip-ups offer valuable telemetry for threat intelligence teams to map actor infrastructure and disrupt ongoing campaigns.

6. Affiliate Program, Initial Access Brokers and RaaS Ecosystem: GLOBAL GROUP depends heavily on Initial Access Brokers to deliver footholds into target networks. Affiliates access a feature-rich dashboard enabling custom payload generation, target profiling and real-time negotiation analytics. This turnkey RaaS model streamlines ransomware deployment, lowering the technical barrier for opportunistic actors and broadening the threat landscape exponentially.

7. Implications for Threat Intelligence and Defense: Tracking the transition from Mamona RIP and Black Lock to GLOBAL GROUP underscores the importance of continuous behavioral and code-level monitoring. Security teams must prioritize detection of Golang-based executables, ChaCha20-Poly1305 key negotiation patterns and anomalous Tor communications. Proactive threat intelligence sharing, combined with robust network segmentation and rapid incident response playbooks, remains essential to mitigate the evolving risks posed by sophisticated RaaS operations like those of GLOBAL GROUP.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Tracking GLOBAL GROUP Ransomware from Mamona to Market Scale