March 11, 2025 - the actor "$$$" behind BlackLock Ransomware announced the launch of a new project called Mamona Ransomware.
Mamona
Mamona is a ransomware family/RaaS operation active by March 2025 and linked in reporting to the BlackLock/El Dorado ecosystem.
Profile source: Mallory opens in a new tabMamona
Family profile
Mamona is a ransomware family/RaaS operation active by March 2025 and linked in reporting to the BlackLock/El Dorado ecosystem. The operator alias "$$$" was reported to have announced Mamona ransomware on March 11, 2025, and the same alias was linked to BlackLock, El Dorado, and Mamona. Mamona was also described as an older ransomware strain succeeded by Global Group ransomware. Reporting further noted overlap between Mamona-linked activity, BlackLock affiliates, the Embargo group, and later DragonForce-related activity.
Mamona is associated with leak-site operations; its leak site was reportedly defaced around the same time as BlackLock’s during DragonForce’s March 2025 "cartel" push, and Mamona later went offline. One source also referenced "Mamona RaaS," indicating it operated as a ransomware-as-a-service program.
High-confidence lineage reporting states that Global Group is a successor to Mamona. In phishing campaigns observed throughout 2024 and 2025, Phorpiex malware was used to deliver Global Group via deceptive .lnk attachments disguised with double extensions such as "Document.doc.lnk." Those campaigns used living-off-the-land execution through cmd.exe and PowerShell to download the ransomware payload. Because Global Group is explicitly described as Mamona’s successor, this provides context on the evolution of the malware family, though the described infection chain is directly attributed to Global Group rather than Mamona itself.
No standalone technical IOCs specific to Mamona binaries were provided in the content. The most reliable associations are its ties to BlackLock/El Dorado, the actor "$$$", its operation as a ransomware brand/RaaS, its leak-site presence, and its succession by Global Group.
Ransomware.live
Operational record
Reported operators
Threat actors
1 named in public reportingMITRE ATT&CK
Mamona in ATT&CK
2 distinct techniquesTechniques
2 techniquesReporting
Research mentioning Mamona
Ransomware attack exposes 1.2 million University of Hawaii Cancer Center records | news | SC Media
Related reading: ... Mamona ransomware lowers the bar with offline encryption
Phorpiex malware delivers global group ransomware via phishing | SC Media
The final payload is Global Group ransomware, a successor to Mamona, which features a "mute" mode.
Attackers Weaponizing Windows Shortcut File to Deliver Global Group Ransomware - Cyber Security News
...Global Group ransomware, a successor to the Mamona ransomware family.
Hackers Deliver Global Group Ransomware Offline via Phishing Emails
"Global Group, a successor to the older Mamona ransomware."
DragonForce targets rivals in a play for dominance | SOPHOS
The ‘cartel’ post coincided with defacements of leak sites operated by the BlackLock and Mamona ransomware groups.
Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals
In some cases, the accounts can be banned after ten days (Mamona RaaS)...
Risky Bulletin: Three Chinese APTs are behind the recent SharePoint zero-day attacks
"Global Group, a new RaaS linked to the old BlackLock and Mamona gangs."
DEVMAN Ransomware: Analysis of New DragonForce Variant - ANY.RUN's Cybersecurity Blog
A previously analyzed campaign connected to the Mamona strain, itself linked to BlackLock affiliates and the Embargo group, also intersected with DragonForce activity.