Global Group ransomware delivered offline through phishing campaign

A phishing operation linked to the long-running Phorpiex botnet is spreading ransomware that can encrypt files without any internet connection.

What happened

Researchers have identified a phishing campaign using the Phorpiex malware network to distribute Global Group ransomware, a strain capable of encrypting files entirely offline. According Hackread, the attack begins with emails carrying Windows shortcut files ending in .lnk, which are disguised with double extensions such as Document.doc.lnk so that the final extension may not be visible to users. When opened, the shortcut executes background commands that download and deploy the ransomware payload. The campaign has been active throughout 2024 and 2025 and represents an evolution of the older Mamona ransomware family.

Going deeper

The infection chain uses Living off the Land techniques, meaning the attackers rely on legitimate built-in Windows tools instead of obvious malicious programs to avoid detection. In this case, a shortcut file launches PowerShell and Command Prompt to download the ransomware and save it under filenames that resemble normal system components. The final payload, known as Global Group, runs in what researchers call “mute” mode, meaning it does not contact a remote command and control server for an encryption key but instead creates the key locally on the infected machine. The ransomware encrypts files using ChaCha20 Poly1305, a modern encryption method designed for speed and strong protection, and deletes Volume Shadow Copies, which are Windows backup snapshots used for recovery, making it far harder for victims to restore their data without paying for the attacker’s key.

What was said

In research cited by Hackread, the team led by Senior Security Researcher Lydia McElligott stated, “The ransomware does not retrieve an external encryption key; instead, it generates the key on the host machine itself.”

According to the researchers, this approach enables the malware to encrypt files even when a system is offline. Because no external key exchange is required, the attack can proceed without communicating with a command-and-control server, making detection and incident response more difficult.

In the know

Global Group ransomware is a newer strain of file-encrypting malware that can lock data without staying connected to the internet, making it harder to stop once it starts running. Security researchers say it builds on the older Mamona ransomware family, meaning earlier code has likely been reused and refined rather than developed from scratch. The campaign distributing it relies on the long-running Phorpiex botnet, also known as Trik, a network of infected computers used to send large volumes of malicious email and attachments. According to CSO Online, during execution Global Group encrypts user files using the “ChaCha20-Poly1305” algorithm, adds a new file extension, and drops a ransom note directing victims to contact the attackers through anonymized channels for payment instructions.

The big picture

The Global Group campaign’s use of disguised .lnk shortcut files fits into a wider pattern seen across healthcare. According to the Paubox report What small healthcare practices get wrong about HIPAA and email security, more than 70% of healthcare data breaches now begin with phishing. Paubox’s 2025 State of Security Report also notes that these attacks succeed largely because they target people rather than technical flaws, citing research that found 88% of healthcare workers have clicked on a phishing link at least once. When a malicious shortcut file is made to look like a normal document, it blends into everyday workflow, which increases the chances that someone will open it without realizing it is harmful.

FAQs

Why is offline ransomware more difficult to stop?

Ransomware that does not require communication with an external server eliminates network-level indicators that defenders often use to detect or block malicious activity.

What is a Windows shortcut file, and why is it dangerous here?

A Windows shortcut file ending in .lnk is designed to point to another program or command. In phishing campaigns, attackers embed malicious commands inside the shortcut so that clicking what appears to be a document actually runs hidden instructions.

What does Living off the Land mean in this context?

Living off the Land refers to abusing legitimate system tools such as PowerShell or Command Prompt to execute malicious activity, which reduces suspicion because no foreign software appears to be installed.

Why are Volume Shadow Copies targeted?

Volume Shadow Copies are Windows system backups used for file recovery. Deleting them removes an easy restoration option and increases the likelihood that victims will consider paying a ransom.

Does offline encryption mean organizations are defenseless?

Offline encryption increases difficulty for defenders, but layered security controls, including endpoint detection, user training against phishing, restricted execution of shortcut files, and tested offline backups, remain effective mitigation strategies.