A complicated new ransomware menace has emerged from the cybercriminal underground, focusing on organizations throughout a number of working techniques with superior cross-platform capabilities.
In June 2025, a ransomware actor working beneath the alias “Greenback Greenback Greenback” launched GLOBAL GROUP on the Ramp4u cybercrime discussion board, advertising and marketing it as a cutting-edge Ransomware-as-a-Service (RaaS) platform.
The group promised associates scalable operations with automated negotiations, cross-platform payloads, and beneficiant profit-sharing preparations that might enchantment to cybercriminals searching for dependable monetization alternatives.
The malware represents a major evolution in ransomware improvement, using Golang programming language to create monolithic binaries able to executing seamlessly throughout Home windows, Linux, and macOS environments.
This multi-platform strategy permits menace actors to focus on various IT infrastructures inside a single assault marketing campaign, maximizing their potential sufferer pool and operational effectivity.
The selection of Golang displays present business developments the place attackers leverage the language’s concurrency mannequin and static linking capabilities to speed up encryption processes at unprecedented scale.
Nonetheless, forensic evaluation carried out by Picus Safety Labs researchers revealed that GLOBAL GROUP shouldn’t be a wholly new menace household however quite a classy rebranding of current ransomware operations.
By detailed examination of malware samples, infrastructure configurations, and operational patterns, analysts recognized clear connections to the defunct Mamona RIP and Black Lock ransomware households, suggesting continuity quite than innovation within the menace panorama.
Proof of this connection turns into obvious by way of technical artifacts embedded inside the malware samples.
The ransomware binary accommodates a particular mutex string “GlobalFxo16jmdgujs437” that forestalls a number of simultaneous executions of the ransomware course of.
This an identical mutex was beforehand recognized in Mamona RIP ransomware samples, indicating direct codebase inheritance quite than coincidental similarity.
The reuse of such particular technical markers demonstrates that GLOBAL GROUP represents an evolution of confirmed assault methodologies quite than ground-up improvement.
Superior Encryption and Payload Structure
The ransomware’s technical sophistication extends past its cross-platform capabilities to embody trendy cryptographic implementations and optimized execution methods.
GLOBAL GROUP employs the ChaCha20-Poly1305 encryption algorithm, a up to date alternative that gives each confidentiality and message integrity verification.
This algorithm choice demonstrates the operators’ dedication to implementing strong encryption that resists cryptanalysis whereas sustaining operational effectivity throughout large-scale file processing operations.
The malware’s structure exploits Golang’s native concurrency options by way of goroutines to deal with encryption throughout all accessible drives concurrently.
This parallel processing strategy considerably reduces the time required to encrypt sufferer techniques, minimizing the window for detection and response.
Every encrypted file receives a customized extension outlined by particular person associates, akin to “.lockbitloch,” whereas filenames themselves are sometimes encrypted to additional complicate restoration efforts with out correct decryption keys.
Decompilation of the binary reveals hardcoded ransom be aware building logic embedded instantly inside the executable.
The malware makes use of particular perform calls to assemble sufferer communication messages, together with embedded Tor community addresses for accessing leak websites and negotiation portals.
This integration demonstrates the operators’ deal with streamlining the extortion course of whereas sustaining operational safety by way of anonymized communication channels.
Enhance detection, cut back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Attempt ANY.RUN Now
