Skip to content
Ransomware group

Mamona

Mamona is a ransomware family/RaaS operation active by March 2025 and linked in reporting to the BlackLock/El Dorado ecosystem.

Profile source: Mallory opens in a new tab

Mamona

Family profile

Mamona is a ransomware family/RaaS operation active by March 2025 and linked in reporting to the BlackLock/El Dorado ecosystem. The operator alias "$$$" was reported to have announced Mamona ransomware on March 11, 2025, and the same alias was linked to BlackLock, El Dorado, and Mamona. Mamona was also described as an older ransomware strain succeeded by Global Group ransomware. Reporting further noted overlap between Mamona-linked activity, BlackLock affiliates, the Embargo group, and later DragonForce-related activity.

Mamona is associated with leak-site operations; its leak site was reportedly defaced around the same time as BlackLock’s during DragonForce’s March 2025 "cartel" push, and Mamona later went offline. One source also referenced "Mamona RaaS," indicating it operated as a ransomware-as-a-service program.

High-confidence lineage reporting states that Global Group is a successor to Mamona. In phishing campaigns observed throughout 2024 and 2025, Phorpiex malware was used to deliver Global Group via deceptive .lnk attachments disguised with double extensions such as "Document.doc.lnk." Those campaigns used living-off-the-land execution through cmd.exe and PowerShell to download the ransomware payload. Because Global Group is explicitly described as Mamona’s successor, this provides context on the evolution of the malware family, though the described infection chain is directly attributed to Global Group rather than Mamona itself.

No standalone technical IOCs specific to Mamona binaries were provided in the content. The most reliable associations are its ties to BlackLock/El Dorado, the actor "$$$", its operation as a ransomware brand/RaaS, its leak-site presence, and its succession by Global Group.

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

1 named in public reporting
$$$

March 11, 2025 - the actor "$$$" behind BlackLock Ransomware announced the launch of a new project called Mamona Ransomware.

MITRE ATT&CK

Mamona in ATT&CK

2 distinct techniques

Reporting

Research mentioning Mamona

Mar 3
Scworld

Ransomware attack exposes 1.2 million University of Hawaii Cancer Center records | news | SC Media

Related reading: ... Mamona ransomware lowers the bar with offline encryption

Feb 10
Scworld

Phorpiex malware delivers global group ransomware via phishing | SC Media

The final payload is Global Group ransomware, a successor to Mamona, which features a "mute" mode.

Feb 10
Cyber Security News

Attackers Weaponizing Windows Shortcut File to Deliver Global Group Ransomware - Cyber Security News

...Global Group ransomware, a successor to the Mamona ransomware family.

Feb 9
Hackread

Hackers Deliver Global Group Ransomware Offline via Phishing Emails

"Global Group, a successor to the older Mamona ransomware."

Jan 1
Sophos Threat Research

DragonForce targets rivals in a play for dominance | SOPHOS

The ‘cartel’ post coincided with defacements of leak sites operated by the BlackLock and Mamona ransomware groups.

Oct 23
Recorded Future

Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals

In some cases, the accounts can be banned after ten days (Mamona RaaS)...

Jul 23
Risky Biz Rss

Risky Bulletin: Three Chinese APTs are behind the recent SharePoint zero-day attacks

"Global Group, a new RaaS linked to the old BlackLock and Mamona gangs."

Jul 1
ANY.RUN

DEVMAN Ransomware: Analysis of New DragonForce Variant - ANY.RUN's Cybersecurity Blog

A previously analyzed campaign connected to the Mamona strain, itself linked to BlackLock affiliates and the Embargo group, also intersected with DragonForce activity.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.