GLOBAL GROUP Deploys Cross-Platform Golang Ransomware

On July 22, 2025, cybersecurity researchers uncovered the emergence of GLOBAL GROUP, a sophisticated Ransomware-as-a-Service (RaaS) operation deploying Golang-based ransomware capable of targeting Windows, Linux, and macOS environments. Promoted on underground forums like Ramp4u by an actor using the alias "$$  $", this threat represents a rebrand and evolution of prior strains such as Mamona and Black Lock, incorporating advanced features like AI-driven negotiation chatbots and mobile control panels. With cross-platform compatibility and strong encryption, GLOBAL GROUP poses a significant risk to global sectors, emphasizing the need for enhanced defenses in diverse operating systems. Below, we explore the ransomware's details, deployment methods, tactics, implications, and mitigation strategies.

The Ransomware: Golang-Powered and Cross-Platform

GLOBAL GROUP's core payload is developed in Golang, enabling a single binary to operate across multiple platforms without recompilation. It employs ChaCha20-Poly1305 for file encryption, appending the ".lockbitloch" extension to affected files and dropping ransom notes with Tor-based contact instructions. The ransomware supports automated attacks, credential theft, and exfiltration, making it suitable for affiliates in a RaaS model.Key features include:

• AI Chatbot for Extortion: An innovative negotiation tool that uses AI to pressure victims, intensifying psychological tactics during ransom demands.
• Mobile Control Panel: Allows operators to manage campaigns on-the-go, enhancing operational flexibility.
• Revived Codebase: Traces back to Mamona (discontinued) and Black Lock, indicating a rebranding effort with updated payloads.

First publicized in June 2025 on Ramp4u, GLOBAL GROUP has rapidly gained attention for its scalability and enterprise-level capabilities.

Deployment Methods: RaaS Model and Initial Access

GLOBAL GROUP operates as a RaaS, providing affiliates with tools for deployment via common vectors like phishing, RDP exploits, and unpatched vulnerabilities. The actor "  $$$" markets it as automated and efficient, promising high returns for participants.Typical infection chain:

1. Initial Compromise: Exploitation of weak credentials or social engineering to gain foothold.
2. Payload Delivery: Download and execution of the Golang binary, which adapts to the host OS.
3. Encryption and Exfiltration: Files are encrypted, data stolen, and ransom notes deployed.

No specific IOCs have been widely shared yet, but monitoring for unusual Golang processes is advised.

Observed Tactics and Evolution

GLOBAL GROUP evolves from earlier operations, blending proven encryption with modern extortion tools. Tactics include double extortion—encrypting and leaking data—and AI chatbots for automated, persistent negotiations. The group targets global sectors, with early attacks noted in professional services and manufacturing.X posts from users like @MarioNawfal and @R4yt3d highlight its multiplatform menace, linking it to broader 2025 ransomware trends. As a rebrand, it incorporates lessons from predecessors, focusing on speed and adaptability.

Implications: Escalating Risks in 2025 Ransomware Landscape

GLOBAL GROUP contributes to the booming ransomware scene in 2025, with projections of increased attacks due to its cross-platform reach. Organizations face operational disruptions, data leaks, and financial losses, particularly in hybrid environments. The AI chatbot innovation heightens extortion pressure, potentially leading to higher ransom payments.This aligns with trends like Qilin and Dire Wolf, signaling a shift toward more versatile threats.

Defenses: Hardening Against Cross-Platform Threats

To mitigate GLOBAL GROUP:

• Patch and Segment: Apply updates across all OSes and segment networks to limit lateral movement.
• Backup Offline: Maintain immutable, air-gapped backups tested regularly.
• Deploy EDR/MDR: Use endpoint detection tools to monitor for anomalous Golang activity.
• Awareness and MFA: Train staff on phishing; enforce multi-factor authentication for critical access.
• Monitor Underground Forums: Track RaaS developments on sites like Ramp4u for early warnings.

As ransomware evolves, proactive measures are essential. For IOCs and updates, consult sources like Picus Security and EclecticIQ. Stay vigilant in this dynamic threat landscape.