Tracking GLOBAL GROUP Ransomware from Mamona to Market Scale
Essential information
- Published
- 21/08/2025 16:16
- Modified
- 21/08/2025 20:03
- Tags
- 2025-08-21 ai chatbot black lock chacha20-poly1305 cross-platform global group golang initial access brokers mamona rip raas ransomware tor
- Related entities
- 4 vulnerabilities (cve), 6 observables, 1 intrusion sets (apt), 3 malware, 2 others
Description
A new ransomware actor, GLOBAL GROUP, emerged on the Ramp4u cybercrime forum in June 2025, claiming to offer a fresh Ransomware-as-a-Service (RaaS) platform. However, forensic evidence reveals that GLOBAL is a rebranded continuation of the Mamona RIP and Black Lock ransomware families. The ransomware, built in Golang, supports cross-platform execution and uses ChaCha20-Poly1305 encryption. It features a dual-portal model for leak site viewing and negotiations, with an AI-powered chatbot for automated communication. The group's infrastructure mistakes exposed backend SSH credentials and real IP addresses. GLOBAL relies on Initial Access Brokers for network infiltration and offers a full-featured affiliate portal for custom payload generation.