REQUEST A DEMO
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
GLOBAL ransomware is a recently established Ransomware-as-a-Service (RaaS) group that surfaced in mid-2025 but is linked through OPSEC mistakes to earlier families such as Mamona and BlackLock. The operation is financially motivated and wants to attract as many affiliates as possible, offering high revenue shares, no entry fees, and an admin panel with AI-driven negotiation tools. Victimology shows a clear focus on healthcare and manufacturing sectors where downtime creates maximum pressure to pay. GLOBAL offers cross-platform lockers written in C++, C, and Golang with enterprise-oriented features such as LDAP propagation, token impersonation, and configurable execution modes designed for speed and scalability. GLOBAL affiliates leverage Initial Access Brokers to streamline intrusions, which expands participation and attack volume. The group uses aggressive negotiation tactics, ransom notes delivered across multiple vectors, and a Tor-hosted AI chatbot portal to manage communications.
GLOBAL Ransomware, also known as the GLOBAL GROUP, is a Ransomware-as-a-Service (RaaS) group that first emerged in June 2025. Since then, it has claimed 32 victims on its tor data leak site (DLS). Over half of GLOBAL’s victims operate in the healthcare or manufacturing sectors, following a larger trend where cyber extortionists target industries that are heavily reliant on digital systems for business operations. In healthcare, this can disrupt patient care and overall well-being, creating additional pressure on victims during ransom negotiations. This also reveals the financial motivations of the group, targeting high value sectors that are more likely to pay a ransom to resume normal operations.
Mistakes in operational security (OPSEC) revealed that the group is a continuation of the Mamona and Blacklock ransomware families. When first deploying its Tor DLS, GLOBAL used an insecure REST API on the frontend that exposed an SSH connection field containing the true IP address of its backend infrastructure, 193.19.119[.]4. This server is hosted by Russian VPS provider IPServer, the same hosting provider previously used by Mamona ransomware. The clearest evidence, however, is the use of an identical mutex string, Global\Fxo16jmdgujs437, found in samples of both ransomware families. In addition, the same alias, $$$, was used to advertise GLOBAL, Mamona, and Blacklock ransomware lockers on the RAMP forum.
Forum posts advertising the RaaS use three languages; English, Russian, and Chinese. This indicates their desire to attract as many affiliates as possible as most RaaS advertisements only cater to English and Russian-speaking threat actors. This is reflective of a shift in the cybercrime ecosystem where China-based threat actors are beginning to contribute to the ransomware ecosystem. Furthermore, this may suggest GLOBAL intends to target Chinese based organizations.
GLOBAL operates in the same fashion as most RaaS groups. Affiliates are attracted using a high revenue share of 85% for every ransom they extract from a victim. Currently, there is no fee to join GLOBAL’S affiliate program, giving security researchers an opportunity to infiltrate the operation. GLOBAL offers an admin panel, enabling affiliates to conduct AI-assisted ransom negotiation chats, manage builds, and download decryptors.
Our investigation into this threat group uncovered a Windows locker sample written in C++. The file was located by searching open malware exchange platforms for GLOBAL’s DLS onion site, which is hardcoded into their lockers. Sandbox analysis of the sample revealed the full ransom note with instructions to access a negotiation chat room. We repeated this process for additional GLOBAL ransomware samples, providing insight into both their negotiation tactics and attack chain.
The malware itself targets Windows, ESXi environments, network-attached storage (NAS) devices, and BSD-based operating systems (FreeBSD, OpenBSD, NetBSD, etc.). The lockers are written in C++, C, and Golang, respectively. Its authors employ anti-analysis techniques to prevent reverse engineering including debugger checks to prevent dynamic analysis and dead code to confuse disassemblers.
GLOBAL affiliates rely on Initial Access Brokers (IABs) to obtain footholds in victim networks, reflecting a lack of in-house expertise to perform the more technical intrusion work themselves. Rather than developing their own initial access methods, they outsource access or purchase tools that simplify the process. Forum activity shows GLOBAL’s operator “$$$” interacting with the actor “HuanEbashes,” who was selling a $400 “Brute VPN” tool capable of password-spraying Fortinet VPN, Palo Alto GlobalProtect, Cisco VPN, Outlook Web Access (OWA), and RDWeb. This behavior demonstrates how GLOBAL compensates for limited intrusion skills by turning to IABs or malicious tools sold by other threat actors to secure valid credentials and initial entry.
After gaining initial access, the locker payload is deployed. The locker code includes extensive configuration and execution controls. Strings from a GLOBAL locker sample built for Windows show support for multiple runtime arguments such as -force, -detached, -threads, -delay, and -skip-net, allowing affiliates to customize encryption behavior for speed, stealth, or delayed execution times (payload activates encryption at specified time). The malware can also toggle spreading modes with -ldap for Active Directory domain propagation and impersonation, indicating enterprise-focused design. Execution logs reference modes like Local + Network and Panic Mode, indicating the ability to rapidly encrypt all reachable storage in high-pressure scenarios.
When GLOBAL engages in lateral movement primarily over LDAP, enabling domain-wide propagation in enterprise environments. The malware can operate with two distinct approaches: affiliates may supply direct domain credentials to authenticate and spread across the network, or if credentials are not available, the malware attempts to impersonate the current user to continue propagation. It does this by invoking Windows API calls such as OpenProcessToken, DuplicateToken, and SetThreadToken to clone and apply a valid security token, granting it the ability to act under the user’s context. This redundancy ensures execution, allowing GLOBAL to spread effectively whether or not valid credentials are on hand.
GLOBAL affiliates engage in data theft prior to the encryption stage. Exfiltrated files are sent to a server under the threat actor’s control, ensuring they still have leverage even if encryption fails. To obfuscate their entry point and data servers, the attackers route this traffic through proxy servers and VPNs.
Before the locker payload is deployed, GLOBAL affiliates employ several defense evasion techniques to maximize impact and reduce detection. The malware executes commands such as cmd.exe /c vssadmin delete shadows /all /quiet to remove Volume Shadow Copies and prevent easy recovery. It also attempts to terminate antivirus and endpoint detection and response (EDR) processes, then clears Windows Event Logs to hinder forensic analysis and incident response.
For encryption, the ransomware uses the ChaCha20-Poly1305 algorithm and prioritizes speed. Files less than 5MB are fully encrypted and files greater than 5MB only have 20% of their file encrypted. Affiliates are able to use custom file extensions for encrypted files with some affiliates using seemingly random strings. The malware also uses multiple threads to encrypt multiple drives, directories, and files concurrently. As mentioned before, operators can configure their execution using command lines arguments that dictate what is encrypted, granting greater control over potential encryption time. GLOBAL ransomware uses a unique mutex to determine if the machine its executing on has already been encrypted. If the mutex exists on the machine, ransomware was already executed so the malware exits to avoid wasting time encrypting the data again. However, this can be overridden using the -force flag.
Finally, text files containing two different ransom notes are created. A short “stub” note is dropped across many directories, stating that files were encrypted and tells the user to visit the site and use the ID, but it does not include the URL or the ID. This stub is hardcoded as plain text in the binary. The full ransom note, which includes the Tor onion chat link and the unique victim ID, is written to the user’s Desktop and Documents folders.
The ransomware also attempts to print ransom notes on any available printers and replaces all desktop wallpapers with a redacted version of the note. Morado identified a new version of the GLOBAL ransomware note. Both versions will be included alongside IOCs.
In one negotiation, affiliates shared a high-level summary of their kill chain. Initial access was achieved through phishing that delivered a Remote Access Trojan (RAT), which created a remote connection to the infected host. Persistence was maintained by installing additional software configured to execute at startup and evade detection. The actors conducted reconnaissance of the internal environment, enumerating servers, user accounts, and permissions. Privilege escalation was obtained by exploiting a system vulnerability to gain administrator rights, followed by lateral movement to compromise additional machines. Finally, data was exfiltrated to attacker-controlled servers, with proxy servers and VPNs used to obfuscate the exit points and external infrastructure.
This account directly supports the earlier analysis. The use of a RAT aligns with the type of access commonly sold by IABs, lateral movement matches observed LDAP-based propagation techniques, and the reliance on VPNs and proxies reinforces how affiliates conceal the location of their exfiltration servers.
Once data is exfiltrated and encrypted, ransom negotiations are started. Victims are typically given three days to respond before threatening to leak stolen data, but this slight varies by incident. Once negotiations begin, this grace period is extended until a payment is made or no agreement is reached. GLOBAL affiliates have been seen demanding ransom payments of over one million USD. In some chats, affiliates require victims to pay 50% of the ransom demand upfront in order to continue negotiations. Payments are made via bitcoin. Affiliates work to induce a sense of urgency using direct language alongside threats of data leakage leading reputational impact.
They use OSINT and compromised data to evoke a feeling of deep surveillance and knowledge of the victim’s business operations, further pressuring a payment. Affiliates also state plainly that they only care about money, showing clear financial motivations. Their negotiation strategy is aggressive, starting with extremely high demands but conceding to most counter offers. In one case, a ransom was lowered by nearly 75% from the original price with no resistance from the affiliate, indicating flexibility designed to secure quick payments.
The FAQ within the portal expresses that GLOBAL provides decryption tools after successful payments, deletion of all data, technical support, and a security assessment. GLOBAL clearly wants to be viewed as trustworthy to convince victims that paying a ransom is the best option. However, there is no way to confirm these claims and should be assumed to be false like the claims of any cybercriminal.
GLOBAL ransomware represents the continued evolution of mid-tier RaaS operations into enterprise-focused threats. The group has clear lineage to Mamona and BlackLock but distinguishes itself through multilingual recruiting, AI-assisted negotiation tooling, and two-stage ransom note delivery. Its reliance on Initial Access Brokers and purchased attack tools lowers the barrier to entry, broadening affiliate participation and increasing attack volume.
The operation’s emphasis on rapid, configurable encryption and pre-encryption data theft creates significant pressure on victims in healthcare and manufacturing, sectors already vulnerable to downtime. Combined with aggressive negotiation tactics and flexible ransom demands, GLOBAL poses a significant threat to organizations operating in critical sectors.
Given its growth trajectory and focus on sectors with low tolerance for disruption, GLOBAL should be treated as an active and expanding threat. Defenders should expect campaigns leveraging IAB access, brute-force tooling, and opportunistic targeting of exposed enterprise services.
Global\\Fxo16jmdgujs437 or variants, which indicate execution attempts.Our investigation revealed a new, slightly modified, version of the previously known GLOBAL ransom note. Both are provided below.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Your network has been compromised by GLOBAL Group
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
All important files are now inaccessible. They have been locked using
military-grade encryption. Only GLOBAL holds the decryption keys.
>>> What happened? <<<
=======================
We gained full access to your network. Sensitive data was exfiltrated
and your systems were encrypted. Your business operations and customer
data are at risk.
>>> What comes next? <<<
=========================
To restore access:
1. Download Tor Browser (https://www.torproject.org/)
2. Visit our portal: gdbkvfe6g3whrzkdlbytksygk45zwgmnzh5i2xmqyo3mrpipysjagqyd.onion/chat/{redacted slug}
3. Enter your ID: >>> {redacted chat room password}<<<
4. Follow instructions to begin negotiations.
You may submit one small file (<1MB) for free decryption as proof.
We will send you a file-listing proving we have stolen your data.
>>> FAILURE TO ENGAGE WITHIN 7 DAYS RESULTS IN: <<<
=====================================================
- Public release of your documents
- Irreversible loss of encrypted data
- Escalation to wider leak network
- Permanent reputation damage
Do not contact recovery services - they cannot help.
Do not waste time with third-party tools or law enforcement.
Do not tamper with encrypted files - you may corrupt them.
This is just business.
Data Leak Site: http://vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id.onion/
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
**GLOBAL operates globally.**
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
GLOBAL
Your network has been encrypted.
All of your important files — documents, databases, backups, and configurations are now inaccessible.
They have been locked using military-grade encryption. Only GLOBAL holds the decryption keys.
What happened?
-------------------------
We have gained full access to your internal network. During this time, sensitive data was exfiltrated
and your systems were encrypted.
Your business operations, internal communications, and customer data are at risk.
What comes next?
-------------------------
To restore access:
1. Download the Tor Browser (https://www.torproject.org/)
2. Visit our secure portal: gdbkvfe6g3whrzkdlbytksygk45zwgmnzh5i2xmqyo3mrpipysjagqyd.onion/chat/{redeacted slug}
3. Enter your unique ID: {redacted chat room password}
4. Follow the instructions to begin negotiations.
You may submit one small file (<1MB, non-sensitive) for free decryption as proof we hold the keys.
We will also send you a file-listing to prove to you that we have stolen your data.
Failure to engage within 3 days will result in:
- Public release of your internal documents
- Irreversible loss of your encrypted data
- Escalation of your case to a wider leak network
There is no other way. Do not waste time with third-party tools or law enforcement.
You will only make things worse.
This is not personal. Just business.
Data Leak Site - http://vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id.onion/
**GLOBAL operates globally.**
IOCs
TTPs