Cybercriminals from GLOBAL GROUP Target All Platforms with Golang Ransomware

A notorious ransomware actor known by the alias $$$ has unveiled GLOBAL GROUP, positioning it as a cutting-edge Ransomware-as-a-Service (RaaS) operation.

Promising automated negotiations, cross-platform payloads, and lucrative affiliate splits, the group claims innovation in scalable extortion.

However, deep forensic analysis of malware samples, infrastructure setups, and operational logic uncovers that GLOBAL is merely a rebranded evolution of the defunct Mamona RIP and Black Lock ransomware families, perpetuated by the same threat actor.

This continuity is evident in shared code artifacts, hosting patterns, and behavioral traits, suggesting a strategic refresh to attract new affiliates rather than genuine novelty.

Rebranded Threat

By dissecting leaked API metadata, reverse-engineered binaries, and actor interactions, security researchers have mapped GLOBAL’s ecosystem, revealing mature tradecraft layered over familiar foundations.

At its core, GLOBAL’s ransomware leverages Golang for monolithic binaries that execute seamlessly across Windows, Linux, and macOS, capitalizing on Go’s concurrency for rapid, large-scale encryption.

A key indicator of inheritance is the mutex string “GlobalFxo16jmdgujs437,” identical to that in Mamona RIP samples, ensuring single-instance execution and preventing process overlaps.

Encryption employs the ChaCha20-Poly1305 algorithm, delivering robust confidentiality and integrity while goroutines parallelize file locking across drives.

Affiliates can customize extensions like “.lockbitloch,” with options to encrypt filenames, thwarting easy recovery.

Technical Dissection

The ransom note, hardcoded in the binary, is assembled via I/O functions and written as README.txt, featuring coercive language, Tor-based leak sites, and a dual-portal setup for data leaks and negotiations.

According to Picus Security Report, this includes a hardcoded Tor onion address for victim verification, embedding proof-of-decryption offers to build false trust amid threats of data publication within tight deadlines. Further scrutiny exposes operational security lapses in GLOBAL’s infrastructure.

The Tor-hosted Dedicated Leak Site (DLS) uses a JavaScript frontend that inadvertently leaks backend details via an unprotected /posts API endpoint, revealing SSH credentials like “[email protected]:22.”

This IP, tied to Russian VPS provider IpServer previously linked to Mamona serves as a central node for exfiltrated data, highlighting poor compartmentalization.

The RaaS builder portal, accessible on desktop and mobile, offers granular configuration: encryption percentages, self-deletion flags, process termination for AV/EDR evasion, log wiping via tools like wevtutil, and multi-OS compilation targeting ESXi, BSD, and NAS systems.

These modular blocks suggest dynamic compile-time assembly, optimizing binaries for evasion.

GLOBAL’s negotiation panel integrates an AI-driven chatbot on a separate Tor domain, automating psychological manipulation with timers, file upload prompts for decryption proofs, and escalating demands often in seven figures, like 9.5 BTC.

This scales affiliate operations, reducing manual oversight. Initial access relies on brokers like HuanEbashes, who peddle RDP credentials and brute-force tools for VPNs and Microsoft services, with $$$ engaging in profit-sharing deals.

Attribution solidifies through reused mutexes, IPs, builder UIs, and even qTOX references to “Global Black Lock,” confirming GLOBAL as a polished continuation of established ransomware lineages, poised to exploit diverse environments with refined, cross-platform malice.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now