Global Group ransomware delivered via phishing emails

Researchers have discovered a phishing campaign using Phorpiex malware to deliver Global Group ransomware. The attack uses deceptive Windows shortcut files (.lnk) as an initial access vector and a unique “mute” mode to encrypt data offline and evade traditional security detection mechanisms.

This campaign starts with a plain email. The subject line usually reads “Your Document” a phrase designed to make you curious or worried enough to click. Inside is an attachment or a zip folder, often named “Document.doc.lnk”. Hackers use a double extension here because Windows OS often hides the last part of a file name. To a normal person, it just looks like Document.doc, but further probing revealed it is actually Windows Shortcut file (.lnk). 

Once clicked, the shortcut quietly tells your computer to run background commands using a method called Living off the Land (LotL). Instead of bringing its own suspicious tools, it hijacks your computer’s “healthy” programs, like PowerShell and Command Prompt, to do its dirty work. These commands download the actual virus, which hides in system folders under names like windrv.exe to look like a legitimate Windows part.

The research identifies the final payload as Global Group, a successor to the older Mamona ransomware. What makes this version troublesome is its “mute” mode. Unlike most viruses that “call home” to the internet for instructions, Global Group does everything locally. Because it doesn’t need a server connection, it can lock files even on offline computers. Further investigation revealed it uses a strong locking system called ChaCha20-Poly1305, making it impossible to recover files without the criminal’s digital key.

To hinder investigators, it uses a ping command to the address 127.0.0.7 as a three-second timer. Once finished, it deletes its own files from your hard drive to leave less evidence behind. Researchers found that the virus even hunts for your backups. It quietly deletes Volume Shadow Copies, the “safety net” files used to restore data. Once finished, your documents will have a .Reco extension, and your wallpaper will be replaced with a ransom note. 

This campaign shows that hackers don’t always need complex technology to trap users; sometimes, they just need a simple shortcut and a convincing email. Using common sense is key. Do not open unsolicited emails, click links they contain, or download and run any attached files.