Tracking GLOBAL GROUP Ransomware from Mamona to Market Scale
Aug. 21, 2025, 8:03 p.m.
Description
A new ransomware actor, GLOBAL GROUP, emerged on the Ramp4u cybercrime forum in June 2025, claiming to offer a fresh Ransomware-as-a-Service (RaaS) platform. However, forensic evidence reveals that GLOBAL is a rebranded continuation of the Mamona RIP and Black Lock ransomware families. The ransomware, built in Golang, supports cross-platform execution and uses ChaCha20-Poly1305 encryption. It features a dual-portal model for leak site viewing and negotiations, with an AI-powered chatbot for automated communication. The group's infrastructure mistakes exposed backend SSH credentials and real IP addresses. GLOBAL relies on Initial Access Brokers for network infiltration and offers a full-featured affiliate portal for custom payload generation.
Tags
Date
- Created: Aug. 21, 2025, 4:16 p.m.
- Published: Aug. 21, 2025, 4:16 p.m.
- Modified: Aug. 21, 2025, 8:03 p.m.
Indicators
- 193.19.119.4
- http://vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id.onion/\n
- http://vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id.onion/
- http://gdbkvfe6g3whrzkdlbytksygk45zwgmnzh5i2xmqyo3mrpipysjagqyd.onion/
- vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id.onion
- gdbkvfe6g3whrzkdlbytksygk45zwgmnzh5i2xmqyo3mrpipysjagqyd.onion
Attack Patterns
- Black Lock
- Mamona RIP
- GLOBAL GROUP
- GLOBAL GROUP
Additional Informations
- Legal
- United States of America