GLOBAL GROUP’s Golang Ransomware Attacks Windows, Linux, and macOS Environments

A sophisticated new ransomware threat has emerged from the cybercriminal underground, targeting organizations across multiple operating systems with advanced cross-platform capabilities.

In June 2025, a ransomware actor operating under the alias “Dollar Dollar Dollar” introduced GLOBAL GROUP on the Ramp4u cybercrime forum, marketing it as a cutting-edge Ransomware-as-a-Service (RaaS) platform.

The group promised affiliates scalable operations with automated negotiations, cross-platform payloads, and generous profit-sharing arrangements that could appeal to cybercriminals seeking reliable monetization opportunities.

The malware represents a significant evolution in ransomware development, utilizing Golang programming language to create monolithic binaries capable of executing seamlessly across Windows, Linux, and macOS environments.

This multi-platform approach allows threat actors to target diverse IT infrastructures within a single attack campaign, maximizing their potential victim pool and operational efficiency.

The choice of Golang reflects current industry trends where attackers leverage the language’s concurrency model and static linking capabilities to accelerate encryption processes at unprecedented scale.

However, forensic analysis conducted by Picus Security Labs researchers revealed that GLOBAL GROUP is not an entirely new threat family but rather a sophisticated rebranding of existing ransomware operations.

Through detailed examination of malware samples, infrastructure configurations, and operational patterns, analysts identified clear connections to the defunct Mamona RIP and Black Lock ransomware families, suggesting continuity rather than innovation in the threat landscape.

Evidence of this connection becomes apparent through technical artifacts embedded within the malware samples.

The ransomware binary contains a distinctive mutex string “GlobalFxo16jmdgujs437” that prevents multiple simultaneous executions of the ransomware process.

This identical mutex was previously identified in Mamona RIP ransomware samples, indicating direct codebase inheritance rather than coincidental similarity.

The reuse of such specific technical markers demonstrates that GLOBAL GROUP represents an evolution of proven attack methodologies rather than ground-up development.

Advanced Encryption and Payload Architecture

The ransomware’s technical sophistication extends beyond its cross-platform capabilities to encompass modern cryptographic implementations and optimized execution strategies.

GLOBAL GROUP employs the ChaCha20-Poly1305 encryption algorithm, a contemporary choice that provides both confidentiality and message integrity verification.

This algorithm selection demonstrates the operators’ commitment to implementing robust encryption that resists cryptanalysis while maintaining operational efficiency during large-scale file processing operations.

The malware’s architecture exploits Golang’s native concurrency features through goroutines to handle encryption across all available drives simultaneously.

This parallel processing approach significantly reduces the time required to encrypt victim systems, minimizing the window for detection and response.

Each encrypted file receives a custom extension defined by individual affiliates, such as “.lockbitloch,” while filenames themselves are often encrypted to further complicate recovery efforts without proper decryption keys.

Decompilation of the binary reveals hardcoded ransom note construction logic embedded directly within the executable.

The malware uses specific function calls to assemble victim communication messages, including embedded Tor network addresses for accessing leak sites and negotiation portals.

This integration demonstrates the operators’ focus on streamlining the extortion process while maintaining operational security through anonymized communication channels.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now