However, forensic analysis conducted by Picus Security Labs researchers revealed that GLOBAL GROUP is not an entirely new threat family but rather a sophisticated rebranding of existing ransomware operations. Through detailed examination of malware samples, infrastructure configurations, and operational patterns, analysts identified clear connections to the defunct Mamona RIP and Black Lock ransomware families, suggesting continuity rather than innovation in the threat landscape. In June 2025, a ransomware actor operating under the alias “Dollar Dollar Dollar” introduced GLOBAL GROUP on the Ramp4u cybercrime forum, marketing it as a cutting-edge Ransomware-as-a-Service (RaaS) platform. The malware represents a significant evolution in ransomware development, utilizing Golang programming language to create monolithic binaries capable of executing seamlessly across Windows, Linux, and macOS environments. This algorithm selection demonstrates the operators’ commitment to implementing robust encryption that resists cryptanalysis while maintaining operational efficiency during large-scale file processing operations. A sophisticated new ransomware threat has emerged from the cybercriminal underground, targeting organizations across multiple operating systems with advanced cross-platform capabilities. The reuse of such specific technical markers demonstrates that GLOBAL GROUP represents an evolution of proven attack methodologies rather than ground-up development. This multi-platform approach allows threat actors to target diverse IT infrastructures within a single attack campaign, maximizing their potential victim pool and operational efficiency. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The group promised affiliates scalable operations with automated negotiations, cross-platform payloads, and generous profit-sharing arrangements that could appeal to cybercriminals seeking reliable monetization opportunities. The choice of Golang reflects current industry trends where attackers leverage the language’s concurrency model and static linking capabilities to accelerate encryption processes at unprecedented scale. The malware uses specific function calls to assemble victim communication messages, including embedded Tor network addresses for accessing leak sites and negotiation portals. This integration demonstrates the operators’ focus on streamlining the extortion process while maintaining operational security through anonymized communication channels. The ransomware binary contains a distinctive mutex string “Global\Fxo16jmdgujs437” that prevents multiple simultaneous executions of the ransomware process. GLOBAL GROUP employs the ChaCha20-Poly1305 encryption algorithm, a contemporary choice that provides both confidentiality and message integrity verification. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This identical mutex was previously identified in Mamona RIP ransomware samples, indicating direct codebase inheritance rather than coincidental similarity. Each encrypted file receives a custom extension defined by individual affiliates, such as “.lockbitloch,” while filenames themselves are often encrypted to further complicate recovery efforts without proper decryption keys.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 22 Jul 2025 08:35:12 +0000