{
  "name": "Tracking GLOBAL GROUP Ransomware from Mamona to Market Scale",
  "slug": "tracking-global-group-ransomware-from-mamona-to-market-scale",
  "description": "A new ransomware actor, GLOBAL GROUP, emerged on the Ramp4u cybercrime forum in June 2025, claiming to offer a fresh Ransomware-as-a-Service (RaaS) platform. However, forensic evidence reveals that GLOBAL is a rebranded continuation of the Mamona RIP and Black Lock ransomware families. The ransomware, built in Golang, supports cross-platform execution and uses ChaCha20-Poly1305 encryption. It features a dual-portal model for leak site viewing and negotiations, with an AI-powered chatbot for automated communication. The group's infrastructure mistakes exposed backend SSH credentials and real IP addresses. GLOBAL relies on Initial Access Brokers for network infiltration and offers a full-featured affiliate portal for custom payload generation.",
  "published": "2025-08-21T14:16:29+00:00",
  "created_at": "2025-08-21T14:16:29+00:00",
  "modified_at": "2025-08-21T18:03:05+00:00",
  "created_at_opencti": "2025-08-21T14:16:29+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-08-21",
    "ai chatbot",
    "black lock",
    "chacha20-poly1305",
    "cross-platform",
    "global group",
    "golang",
    "initial access brokers",
    "mamona rip",
    "raas",
    "ransomware",
    "tor"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "193.19.119.4"
      },
      {
        "id": "",
        "name": "http://vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id.onion/\\n"
      },
      {
        "id": "",
        "name": "http://vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id.onion/"
      },
      {
        "id": "",
        "name": "http://gdbkvfe6g3whrzkdlbytksygk45zwgmnzh5i2xmqyo3mrpipysjagqyd.onion/"
      },
      {
        "id": "",
        "name": "vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id.onion"
      },
      {
        "id": "",
        "name": "gdbkvfe6g3whrzkdlbytksygk45zwgmnzh5i2xmqyo3mrpipysjagqyd.onion"
      }
    ],
    "malware": [
      {
        "id": "ff9161b0-770a-42f3-9f82-cc6e6318779b",
        "name": "Black Lock",
        "slug": "black-lock"
      },
      {
        "id": "fc690112-2082-4da5-a49e-d2a2c8928a24",
        "name": "Mamona RIP",
        "slug": "mamona-rip"
      },
      {
        "id": "cbd1d206-b864-48bb-9a73-bb600abc0206",
        "name": "GLOBAL GROUP",
        "slug": "global-group"
      }
    ],
    "intrusion_sets": [
      {
        "id": "24337166-7dd2-41f0-9569-4a4b1de9ecf2",
        "name": "GLOBAL GROUP",
        "slug": "global-group"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-31324"
      },
      {
        "id": "",
        "name": "CVE-2025-32433"
      },
      {
        "id": "",
        "name": "CVE-2025-22457"
      },
      {
        "id": "",
        "name": "CVE-2024-57727"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Legal"
      }
    ]
  },
  "external_refs": [
    "https://www.picussecurity.com/resource/blog/tracking-global-group-ransomware-from-mamona-to-market-scale",
    "https://otx.alienvault.com/pulse/68a7465dffe0f0d5bcc3161b"
  ]
}