GLOBAL GROUP

GLOBAL GROUP is a ransomware-as-a-service operation and apparent rebrand of the BlackLock operation, which was previously known as Eldorado or El Dorado. The content states the branding evolved from Eldorado on the Russian Anonymous Marketplace (RAMP) forum in March 2024, to BlackLock by late 2024, and then to GLOBAL GROUP around mid-2025. It is described as part of the Russian-speaking cybercriminal ransomware ecosystem rather than a nation-state actor, with no evidence of nation-state involvement. The group is associated with affiliate-based ransomware operations and recruitment activity on RAMP, where GLOBAL GROUP, Eldorado, and other major ransomware brands sought members, advertised variants, and shared operational intelligence. The operation is described as having offered affiliates revenue shares up to 85% and as providing a custom Go-based builder capable of generating Windows, Linux, and ESXi encryptors. The content links GLOBAL GROUP/BlackLock to campaigns involving social-engineering delivery, including a malicious LNK file disguised as FAKE_CAPTCHA that triggered hidden PowerShell or command-line execution and used living-off-the-land binaries to deploy a second-stage loader. Associated infrastructure included paksecurity[.]org and techoption[.]org. The loader was described as establishing persistence via scheduled tasks and beaconing to command-and-control infrastructure. The group’s ransomware capability is described as cross-platform and particularly relevant to VMware ESXi environments, with an attack playbook that included enumerating /vmfs/volumes/, killing running virtual machines with esxcli vm process kill, encrypting .vmdk and .vmx files, dropping ransom notes such as HOW_RETURN_YOUR_DATA.TXT, and deleting backups via vssadmin or WMI. The ransomware is described as using ChaCha20 or XChaCha20 for file encryption with RSA-OAEP for key wrapping. One report in the content describes GLOBAL GROUP ransomware as notable for carrying out activity locally, being compatible with air-gapped environments, and conducting no data exfiltration. Another report describes GLOBAL GROUP as operating a Tor-based negotiation portal where an AI chatbot interacts with victims, automates communications, and applies psychological pressure during negotiations. The content also notes victim claims by the group, including a July 2025 claim of stealing 400GB of data from Albavisión. Reported targeting in the content includes organizations in the United States and Europe across healthcare, manufacturing, education, government, and media sectors. Known aliases directly supported by the content are BlackLock, Eldorado, and El Dorado.