Global Group: ransomware rebranding stories 

octobre 30, 2025
Cyber Threat Intelligence, Non catégorisé, Threat Intelligence Report

Global Group: ransomware rebranding stories 

Key findings

 

  • Review of the activity of the user “$$$” on the Ramp cybercriminal forum. This user is associated with promotion of the ransomware Global Group and was previously promoting the Mamona RIP and Black Lock/Eldorado operations. They have been an active member of the forum since 2024 and may collaborate with initial access brokers (IAB) for their operations’ initial accesses.
  • Analysis of the victimology of Global Group, BlackLock/Eldorado and Mamona Rip, which revealed similar top targeted sectors in all operations. A shift was noted since Global Group started, as the health sector is now one of the main targets of the operation, while it was almost never targeted by this threat actor’s previous ransomware operations. The focus is now more on Western countries rather than worldwide targeting.
  • Technical analysis of the ransomware, which revealed multiple capabilities. The ransomware can move laterally on a network using LDAP, terminate antivirus services, encrypt drives, shares, directories and files, amongst other functions. Some of these capabilities can be enabled or disabled by using arguments when executed.
  • Infrastructure analysis starting from a real IP address of Global Group’s DLS. This IP address is associated with AS44812 of IP SERVER LLC, linked to Russia.

 

Intrinsec’s CTI services

 

Organisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.

For this report, shared with our clients in January 2025, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR …), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.

Intrinsec also offers various services around Cyber Threat Intelligence:

  • Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients’ existing tools (EDR, XDR, SIEM, …) through:
      • an operational feed of IOCs based on our exclusive activities.
      • threat intel notes & reports, TIP-compliant.
  • Digital risk monitoring:
      • data leak detection & remediation
      • external asset security monitoring (EASM)
      • brand protection

For more information, go to intrinsec.com/en/cyber-threat-intelligence/.

Follow us on Linkedin and X

Download the full report content
Contact