GLOBAL GROUP Launches Golang-Based Ransomware Targeting Windows, Linux, and macOS Systems

A new ransomware-as-a-service operation, called GLOBAL GROUP, has emerged on cybercrime forums; however, forensic analysis reveals it’s a sophisticated rebranding of the defunct Mamona RIP and Black Lock ransomware families.

The group, operated by a threat actor known as “$$$,” has developed a cross-platform ransomware written in Golang that targets Windows, Linux, and macOS systems simultaneously, leveraging modern encryption techniques and automated negotiation systems to maximize impact and profit.

Technical Architecture Reveals Sophisticated Cross-Platform Capabilities

GLOBAL GROUP’s ransomware utilizes Golang’s concurrency model to accelerate encryption across multiple operating systems through a single monolithic binary.

The malware utilizes the ChaCha20-Poly1305 encryption algorithm, offering both confidentiality and message integrity, while leveraging Go’s goroutines to optimize performance across all available drives.

Forensic analysis revealed a critical attribution link through the reuse of mutexes.

The ransomware contains the mutex string “Global\Fxo16jmdgujs437,” which is identical to the one found in previous Mamona RIP samples, indicating direct codebase inheritance rather than new development.

This mutex prevents multiple simultaneous executions of the ransomware process, enforcing single-instance behavior across the system.

The group’s builder platform offers affiliates extensive customization options, including encryption percentage controls, custom file extensions, and modular execution blocks.

Configuration flags enable features such as security process termination, Windows Event Log deletion, filename encryption, and automatic self-deletion after execution.

Infrastructure Exposed Through Operational Security Failures

Despite the group’s sophisticated technical capabilities, operational security failures have exposed critical details of its infrastructure.

The ransomware’s Tor-based leak site uses a JavaScript frontend that inadvertently exposes backend SSH credentials through an unprotected REST API endpoint.

This exposure revealed the real IP address, “193.19.119.4,” hosted by the Russian VPS provider IpServer—the same provider previously associated with Mamona operations.

The group operates a dual-portal system consisting of a data leak site and a separate AI-powered negotiation panel.

Victims are directed to upload sample encrypted files for free decryption verification, while an automated chatbot applies psychological pressure through urgent timers and escalating threats.

Chat transcripts reveal ransom demands reaching seven-figure sums, including a demand of 9.5 BTC (approximately $1 million).

Collaborative Criminal Ecosystem

GLOBAL GROUP relies heavily on Initial Access Brokers (IABs) for network infiltration, with the group’s operator directly engaging in underground forums to purchase compromised credentials.

The group has shown interest in custom brute-force tools targeting Fortinet, Palo Alto GlobalProtect, and Microsoft services, indicating a service-oriented approach to ransomware deployment.

Security teams should focus detection efforts on multithreaded ChaCha20-Poly1305 encryption routines, custom file extension patterns, and behavioral analysis of the specific mutex instantiation pattern to identify GLOBAL GROUP infections in their environments.