The emergence of GLOBAL GROUP, a sophisticated new Ransomware-as-a-Service (RaaS) operation that leverages artificial intelligence to enhance ransom negotiations and streamline affiliate operations.
The group, which appeared on the Ramp4u forum on June 2, 2025, has already claimed 17 victims across multiple countries and industries, demonstrating rapid operational scaling with advanced technological capabilities that distinguish it from traditional ransomware operations.
GLOBAL GROUP’s most distinctive feature is its automated negotiation system powered by AI-driven chatbots, designed to increase psychological pressure during victim interactions and facilitate seven-figure ransom demands.
The system enables non-English-speaking affiliates to engage victims more effectively through sophisticated language processing capabilities, expanding the operational reach of the criminal enterprise beyond traditional linguistic barriers.
The group’s promotional materials showcase a fully featured RaaS platform with an interactive affiliate panel that allows cybercriminals to manage victims, build custom ransomware payloads, and monitor operations in real-time.
The platform supports cross-platform ransomware builds for ESXi, NAS, BSD, and Windows operating systems, while claiming to be “undetectable by EDR” solutions.
Mobile device compatibility ensures affiliates can conduct ransom negotiations remotely, with the platform offering an aggressive 85% revenue-sharing model to attract new partners.
Recent negotiations captured by researchers show demands reaching $1 million within 48-hour timeframes, with the AI system apparently designed to optimize pressure tactics and payment timelines.
The ransom notes direct victims to a dedicated Tor-based negotiation portal, where they must verify breaches by uploading encrypted files for free decryption, with warnings of public data leaks if negotiations are not initiated within three days.
Security researchers have established strong connections between GLOBAL GROUP and previous ransomware operations, particularly the defunct Mamona RIP ransomware and the ongoing Black Lock RaaS.
The threat actor operating under the alias “$$$” controls all three operations, with technical evidence confirming shared infrastructure and malware code similarities.
Both GLOBAL GROUP and Mamona operations utilize the same Russian VPS provider called IpServer, with GLOBAL GROUP’s current infrastructure hosted at IP address 193.19.119.4.
An operational security failure exposed this connection when the group’s API endpoint returned JSON metadata revealing the real-world hosting environment, including SSH connection details that confirmed victim data storage on internet-accessible systems.
Malware analysis reveals that GLOBAL GROUP uses a customized variant of Mamona ransomware, with both strains sharing the identical mutex key “Global\Fxo16jmdgujs437.”
The updated version includes enhanced functionality for automated domain-wide ransomware installation using SMB connections and malicious Windows service creation, enabling more scalable deployment across enterprise networks.
According to Report, GLOBAL GROUP heavily relies on Initial Access Brokers (IABs) to acquire access to vulnerable edge appliances, including Fortinet, Palo Alto, and Cisco devices.
The group supplements purchased access with brute-force tools targeting Microsoft Outlook and RDWeb portals, enabling high-privilege initial access that often bypasses traditional endpoint detection and response solutions.
The threat actor has been observed purchasing RDP access to high-value targets, including U.S. law firms, and acquiring webshell access on Linux-based systems such as SAP NetWeaver.
These access vectors enable rapid deployment of post-exploitation tooling for lateral movement, followed by large-scale data exfiltration for extortion purposes before ransomware execution across compromised networks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…