Dark Web Profile: GLOBAL Ransomware

GLOBAL Ransomware, also known as the GLOBAL GROUP, is a newly branded Ransomware-as-a-Service (RaaS) operation that surfaced in mid-2025. Despite being presented as a new player, forensic evidence links GLOBAL directly to earlier families such as Mamona and BlackLock.

By offering affiliates unusually high profit shares, advanced multi-platform payloads, and an AI-driven negotiation system, GLOBAL has quickly positioned itself as a financially motivated and opportunistic threat actor. Early victimology shows a strong focus on critical sectors including healthcare, energy, oil & gas, and manufacturing, with operations spanning the U.S., Ireland, Belgium U.K., Australia, and Brazil.

Threat actor card of GLOBAL Ransomware

Who Is GLOBAL Ransomware?

GLOBAL Ransomware, also known as the GLOBAL GROUP, surfaced in mid-2025 on the Russian Anonymous Marketplace (RAMP), a leading underground forum where threat actors trade malware, credentials and Ransomware-as-a-Service (RaaS) offerings. GLOBAL positioned itself as a competitive RaaS program, aiming to attract affiliates by offering an unusually high 80 to 85 percent share of ransom payments. Its platform includes a mobile-friendly management panel, an offline builder for creating payloads across Windows, Linux and VMware ESXi, and an AI-powered negotiation chatbot. These features make GLOBAL stand out as an affiliate-driven service where initial access plays a central role, and partners are expected to provide compromised entry points into victim networks.

GLOBAL RaaS announcement on RAMP

Investigators believe GLOBAL is not entirely new. It is assessed to be a rebrand of BlackLock, which had previously evolved from Eldorado. BlackLock was one of the most active extortion groups in early 2025, building momentum by combining RaaS with external partners who specialized in initial access brokerage. Its downfall came after a severe OPSEC failure: researchers and rivals exploited a vulnerability in its data leak site, uncovering infrastructure, credentials and command histories. Shortly after, DragonForce actors defaced the BlackLock site, further damaging its credibility.

At the same time, the operator known as “$$$” briefly launched a side project called Mamona, which also failed after a similar defacement. Analysts suggest the operator either performed a silent exit from these compromised brands or deliberately rebranded to retain his affiliate base. GLOBAL now represents the continuation of this lineage, positioned squarely in the RaaS market with affiliates expected to supply initial access while the core team delivers the ransomware payloads and infrastructure.

What Are GLOBAL Ransomware’s Targets?

GLOBAL’s victimology shows a clear focus on high-impact sectors and regions where disruption translates directly into financial pressure.

Top countries targeted by GLOBAL Ransomware

By geography, the United States is the most affected, accounting for nearly half of all confirmed incidents. Other heavily impacted countries include Australia, Brazil, and the United Kingdom, followed by Italy, Mexico, Sweden, Lebanon and Ireland. The distribution confirms GLOBAL’s opportunistic approach: it does not restrict itself to one region but instead pursues organizations with perceived ability to pay.

Top industries targeted by GLOBAL Ransomware

By industry, healthcare is the leading target, making up more than 31 percent of known victims. The group has also heavily impacted manufacturing (18.8 percent) and technology (9.4 percent), with additional cases across entertainment, telecommunications, accommodation, construction, agriculture, and the public sector. This mix highlights GLOBAL’s strategy of hitting critical services and production lines where downtime creates maximum leverage.

Overall, GLOBAL’s targeting pattern reflects a profit-driven RaaS model: affiliates gain initial access through brokers or stolen credentials, while the core operation focuses on sectors and geographies with the highest probability of ransom payment.

What Are GLOBAL Ransomware’s Techniques?

GLOBAL Ransomware combines affiliate-supplied initial access with a versatile payload and aggressive disruption tactics.

Initial Access

Affiliates often purchase or trade access from Initial Access Brokers (IABs). Leaked forum activity shows GLOBAL operators expressing interest in tools that brute-force VPN, RDP and OWA portals, particularly targeting Fortinet, Palo Alto and Cisco appliances. This reliance on external access aligns with its RaaS model, where affiliates are responsible for infiltrating networks while the core group provides the ransomware payload.

Execution and Propagation

The ransomware itself is a Go-based monolithic binary, capable of running on Windows, Linux, VMware ESXi, BSD, macOS and NAS devices. It supports multi-threaded encryption that allows large datasets to be locked in minutes. GLOBAL samples also retain overlaps with Mamona and BlackLock, including the same mutex value and code reuse. Once deployed, the malware can spread automatically across domains, propagating via SMB shares and remote service creation to compromise as many systems as possible.

GLOBAL Ransomware advertises multi-platform lockers for Windows, ESXi and NAS/BSD environments, highlighting flexibility for affiliates.

GLOBAL also advertises dedicated lockers through its RAMP forum post:

• Windows Locker (C++): Includes LDAP propagation, subnet scanning, mounting remote shares, file name encryption, process and service killing, event log deletion, execution delay and “panic mode.”
• ESXi Locker (C): Runs silently as a daemon and shuts down VMs gracefully before encryption.
• NAS/BSD Locker (Go): Lightweight executable requiring only a path to encrypt.

Defense Evasion

GLOBAL’s builder offers options to terminate antivirus and EDR processes, clear Windows Event Logs and delete shadow copies. These features minimize detection and block recovery attempts. Affiliates can configure custom file extensions and ransom notes, ensuring that each campaign looks unique and complicates signature-based detection.

Discovery and Lateral Movement

After initial compromise, the malware enumerates network shares, drives and mounted storage to expand its reach. If domain administrator rights are available, GLOBAL can deploy itself across the network as a service, enabling rapid, automated lateral movement.

Impact

GLOBAL uses ChaCha20-Poly1305 encryption and often scrambles file names, making recovery without the decryption key virtually impossible. Ransom notes are dropped across directories, directing victims to a Tor-based negotiation portal. Victims are typically given three days to respond. The portal is integrated with an AI chatbot, which manages much of the initial negotiation and applies psychological pressure. Reported ransom demands have exceeded one million dollars, reflecting a strategy of targeting large enterprises expected to pay high sums.

GLOBAL’s ransomware note

Affiliate Panel and Rules

The affiliate panel is not only a technical interface but also the backbone of GLOBAL’s business model. By integrating AI-assisted negotiations, auto-decryption tied to payment confirmation, and client analytics, the group seeks to professionalize the ransom process and reduce the workload for affiliates. Features like customizable deadlines and pricing give partners more autonomy, while the roadmap for encrypted decryptor access, Russian-language localization, and a sub-affiliate system shows an ambition to scale the platform into a multi-layered ecosystem.

GLOBAL Ransomware affiliate panel and rules

The financial model is equally calculated. Offering 85 percent of ransom payments directly to affiliates’ wallets undercuts many rival RaaS schemes and signals GLOBAL’s intent to rapidly expand its partner network. At the same time, the group enforces “rules of engagement” to maintain stability and avoid unwanted scrutiny. Banning attacks on CIS countries, critical infrastructure, and non-profits reflects common self-preservation tactics among Russian-speaking groups, aiming to reduce pressure from local authorities and international coalitions. The minimum ransom threshold of $50,000 ensures affiliates target larger organizations with higher payout potential, while the nine-day inactivity policy demonstrates a push for constant operational tempo.

Overall, the panel and its rules reveal GLOBAL’s dual strategy: appeal to affiliates through high profits and advanced tooling, while managing risk through selective restrictions and structured governance.

What Are the Mitigation Tactics Against GLOBAL Ransomware?

Because GLOBAL operates as a RaaS with varied affiliates, its intrusion methods are diverse. Effective defense requires a layered strategy spanning prevention, detection, and recovery:

• Block Initial Access: Restrict exposure of RDP, VPN, and OWA services; enforce MFA; patch perimeter devices (Fortinet, Palo Alto, Cisco) promptly.
• Secure Accounts: Enforce strong, unique credentials; disable unused or default accounts; apply least-privilege and just-in-time access.
• Keep Systems Updated: Patch OS, applications, and firmware, prioritizing internet-facing systems.
• Improve Detection & Response: Deploy EDR with behavioral analytics; monitor for lateral movement and anomalous account activity.
• Network Segmentation: Isolate critical infrastructure (e.g. VMware ESXi hosts, backup servers) into dedicated management networks.
• Limit Script Abuse: Restrict PowerShell, WMI, and MSHTA; enforce application allowlisting .
• Backup & Recovery: Maintain offline/immutable backups; regularly test restoration.
• Use Cyber Threat Intelligence: Monitor dark web forums and GLOBAL’s Tor leak site for early signs of targeting.

Test & Adapt: Conduct tabletop exercises and red-team simulations to refine defenses.

How Can SOCRadar Help?

GLOBAL Ransomware demonstrates how quickly threat actors can pivot. What began as Mamona and BlackLock has re-emerged under a new brand, equipped with cross-platform payloads, AI negotiation bots, and an aggressive affiliate program. Traditional defenses alone are not enough against an operation that adapts this fast and markets itself across underground forums.

Organizations need visibility into how GLOBAL evolves, detection of their own exposure on leak sites, and the ability to update defenses with real-time intelligence. SOCRadar delivers this by tracking GLOBAL’s infrastructure, monitoring the dark web for leaked data, and providing the indicators and context security teams need to stay ahead.

Start with a Free Dark Web Report in SOCRadar Labs to see your domain’s exposure.

Dark Web Monitoring – Track GLOBAL’s leak site and forums to detect stolen credentials, sensitive files, or brand impersonation before widespread release.

SOCRadar Advanced Dark Web Monitoring

Threat Intelligence Feeds – Receive real-time IoCs and TTPs on GLOBAL’s infrastructure, payloads, and variants to update defenses instantly.

Attack Surface Management – Identify exposed RDP, VPN, and misconfigured assets before affiliates exploit them.

SOCRadar Extended Attack Surface Management

Digital Risk Protection – Detect fraudulent domains or impersonation attempts tied to GLOBAL campaigns.

Ransomware Group Tracking – Monitor GLOBAL’s evolving infrastructure, affiliate base, and targeting to anticipate changes and prepare proactively.

SOCRadar empowers organizations to stay ahead of GLOBAL and similar RaaS operations by combining visibility, early warning, and rapid response.

What Are the MITRE ATT&CK TTPs of GLOBAL Ransomware?