Threat Research

Dark Web Profile: GLOBAL Ransomware

SocRadar
Dark Web Profile: GLOBAL Ransomware

GLOBAL Ransomware is a mid-2025 RaaS rebrand of earlier families like Mamona and BlackLock that offers multi-platform payloads, an AI negotiation chatbot, and unusually high affiliate revenue shares to rapidly scale operations. Its campaigns target high-impact sectors (notably healthcare) across the U.S., Europe, Australia and Brazil and use affiliate-supplied initial access, ChaCha20-Poly1305 encryption, and Tor-based leak/negotiation portals. #GLOBAL #BlackLock

Keypoints

  • GLOBAL surfaced on the Russian Anonymous Marketplace in mid-2025 as a RaaS offering with an 80–85% affiliate revenue share to attract partners.
  • Forensic evidence links GLOBAL to prior families Mamona and BlackLock, suggesting a rebrand rather than a wholly new operation.
  • The ransomware is multi-platform (Windows, Linux, VMware ESXi, BSD, macOS, NAS) and is distributed as monolithic Go and native-language lockers (C++, C, Go).
  • GLOBAL relies on affiliates and initial access brokers to provide compromised entry points, with emphasis on brute-forcing or targeting exposed RDP, VPN, and OWA services on Fortinet, Palo Alto, and Cisco appliances.
  • Technical capabilities include multi-threaded encryption (ChaCha20-Poly1305), lateral movement via SMB and remote service creation, EDR/AV termination, event log clearing, and shadow copy deletion.
  • Victimology focuses on healthcare (31%+), manufacturing, and technology, with significant impacts in the United States, Australia, Brazil, and the United Kingdom.
  • The operation uses a Tor-based negotiation portal with an AI chatbot, enforces affiliate rules (e.g., bans on CIS targets, $50,000 minimum ransom), and has demanded sums exceeding $1M in some cases.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Used to gain initial access against internet-exposed services; “expressing interest in tools that brute-force VPN, RDP and OWA portals, particularly targeting Fortinet, Palo Alto and Cisco appliances.”
  • [T1078 ] Valid Accounts – Affiliates supply stolen or brokered credentials for access; “partners are expected to provide compromised entry points into victim networks.”
  • [T1053 ] Scheduled Task/Job – Employed for persistence or execution scheduling as part of post-compromise activity; (article lists Scheduled Task/Job in initial access techniques).
  • [T1203 ] Exploitation for Client Execution – Ransomware and lockers exploit execution contexts to run on target systems (referenced via multi-platform payload execution capabilities).
  • [T1569.002 ] System Services: Service Execution – GLOBAL can deploy as services to execute across systems and enable propagation (“deploy itself across the network as a service”).
  • [T1543.003 ] Create or Modify System Process: Windows Service – Used to maintain persistence by creating or modifying Windows services during compromise.
  • [T1068 ] Exploitation for Privilege Escalation – Exploits used to gain elevated rights when required for wide-scale encryption or lateral movement.
  • [T1078.001 ] Valid Accounts: Default Accounts – Use of default or readily available accounts is noted among valid account vectors.
  • [T1078.002 ] Valid Accounts: Domain Accounts – DOMAIN accounts are used when affiliates obtain domain credentials to propagate (“If domain administrator rights are available, GLOBAL can deploy itself across the network”).
  • [T1562.001 ] Disable or Modify Tools – Builder options terminate antivirus and EDR processes to evade defenses (“options to terminate antivirus and EDR processes”).
  • [T1070.001 ] Clear Windows Event Logs – GLOBAL clears event logs to hinder detection (“clear Windows Event Logs”).
  • [T1036 ] Masquerading – Tooling and customizability (file extensions, ransom notes) used to disguise malicious files and campaigns.
  • [T1027 ] Obfuscated Files or Information – Use of obfuscation and encrypted/encoded files in payloads and communications (“Encrypted/Encoded File” listed).
  • [T1027.013 ] Encrypted/Encoded File – Ransomware encrypts data and may encode components to avoid inspection (“ChaCha20-Poly1305 encryption and often scrambles file names”).
  • [T1110 ] Brute Force – Affiliates and IABs use brute-force against services like VPN, RDP, and OWA (“tools that brute-force VPN, RDP and OWA portals”).
  • [T1046 ] Network Service Discovery – Malware enumerates network services as part of discovery after compromise.
  • [T1135 ] Network Share Discovery – GLOBAL enumerates and targets network shares to find files to encrypt (“enumerates network shares, drives and mounted storage”).
  • [T1083 ] File and Directory Discovery – Used to locate files for encryption across systems and shares.
  • [T1057 ] Process Discovery – GLOBAL kills processes and discovers running processes to disrupt backups and protections (“process and service killing”).
  • [T1016 ] System Network Configuration Discovery – Network topology and configuration discovery supports lateral movement and targeting of ESXi hosts and backups.
  • [T1021 ] Remote Services – Remote services like RDP and SMB are used for lateral movement and propagation (“propagating via SMB shares and remote service creation”).
  • [T1021.001 ] Remote Services: Remote Desktop Protocol – RDP targeted for access and lateral movement (“tools that brute-force … RDP”).
  • [T1021.002 ] Remote Services: SMB/Windows Admin Shares – SMB shares used to spread and encrypt files across networks (“propagating via SMB shares”).
  • [T1020 ] Automated Exfiltration – Affiliates and the core operation automate data exfiltration prior to encryption (exfiltration tactics listed by investigators).
  • [T1041 ] Exfiltration Over C2 Channel – Data exfiltration to actor-controlled channels is part of extortion operations.
  • [T1567 ] Exfiltration Over Web Service – Use of web services for transferring stolen data to leak sites or actor infrastructure.
  • [T1567.002 ] Exfiltration to Cloud Storage – Cloud storage is listed as an exfiltration destination option.
  • [T1486 ] Data Encrypted for Impact – Primary impact technique: encrypting data with ChaCha20-Poly1305 to disrupt operations (“ChaCha20-Poly1305 encryption … making recovery without the decryption key virtually impossible”).
  • [T1489 ] Service Stop – GLOBAL stops services and gracefully shuts down VMs (ESXi locker “shuts down VMs gracefully before encryption”).
  • [T1490 ] Inhibit System Recovery – GLOBAL deletes shadow copies and clears logs to inhibit recovery (“delete shadow copies”).

Indicators of Compromise

  • [File Hash ] sample binary context – example: Go-based monolithic binary sample (hash not provided in article) and overlaps with Mamona/BlackLock mutex and code reuse (and 2 more related samples).
  • [File Name/Extension ] ransom notes and custom extensions context – ransom note files dropped across directories and customizable file extensions (examples: Tor-based negotiation portal links in notes, custom extension examples not listed).
  • [Network Host/Service ] targeted infrastructure context – exposed RDP/VPN/OWA endpoints on Fortinet, Palo Alto, Cisco appliances (example: brute-force against Fortinet VPN, and attacks on Cisco OWA interfaces).
  • [Platform/Artifact ] locker types context – Windows Locker (C++), ESXi Locker (C), NAS/BSD Locker (Go) filenames/build artifacts (examples: ESXi daemon that shuts down VMs, Windows locker with LDAP propagation).
  • [Leak/Portal ] Tor negotiation/leak site context – Tor-based negotiation portal and leak site used to host stolen data and negotiations (example: GLOBAL Tor leak/negotiation portal, and tracked Tor leak site infrastructure).

Read more: https://socradar.io/dark-web-profile-global-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint