In June 2025, a new ransomware-as-a-service (RaaS) operation named GLOBAL GROUP surfaced, introducing advanced artificial intelligence (AI) capabilities into cyber extortion tactics. This development signifies a notable evolution in cybercriminal methodologies, particularly in the automation and sophistication of ransom negotiations.
Introduction to GLOBAL GROUP
GLOBAL GROUP, orchestrated by the threat actor known as “$$$”, has rapidly expanded its reach, claiming 17 victims across the United States, the United Kingdom, Australia, and Brazil within a month of its inception. The operation’s swift proliferation is attributed to its strategic alliances with Initial Access Brokers (IABs) and the integration of AI-driven systems that streamline various facets of the ransomware process.
AI-Powered Negotiation System
A distinguishing feature of GLOBAL GROUP is its AI-enhanced negotiation platform. This system automates communication with victims, enabling affiliates, regardless of their linguistic proficiency, to engage in complex negotiations and demand substantial ransoms. Notably, ransom demands have escalated to seven-figure sums, with recent cases reaching $1 million USD (approximately 9.5 BTC). The AI system not only facilitates these interactions but also intensifies psychological pressure on victims, potentially increasing the likelihood of compliance.
Technical Infrastructure and Malware Analysis
Analyses suggest that GLOBAL GROUP may be a rebranded iteration of the Black Lock RaaS operation. This inference is supported by shared technical infrastructure, including servers hosted by the Russian VPS provider IpServer at IP address 193.19.119[.]4. An operational security lapse exposed this infrastructure when the group’s API endpoint leaked metadata revealing the actual hosting environment.
The ransomware employed by GLOBAL GROUP is a customized variant of the Mamona ransomware, sharing the identical mutex key Global\Fxo16jmdgujs437. Compiled in Golang, this variant utilizes ChaCha20-Poly1305 encryption and is designed for cross-platform deployment across Windows, Linux, and macOS systems.
Affiliate Recruitment and Revenue Sharing
To attract affiliates, GLOBAL GROUP offers an 85% revenue-sharing model, positioning itself competitively within the RaaS market. A promotional video on their leak site showcases a comprehensive affiliate panel compatible with mobile devices, allowing operatives to manage negotiations via smartphones. The platform supports custom ransomware builds for various systems, including ESXi, NAS, BSD, and Windows, and claims to be “undetectable by EDR” (Endpoint Detection and Response) solutions.
Operational Tactics and Partnerships
GLOBAL GROUP accelerates its operations through collaborations with Initial Access Brokers, acquiring pre-compromised network access instead of conducting initial infiltrations. The threat actor “$$$” has procured RDP access to U.S. law firms and webshell access to Linux-based SAP NetWeaver systems. The operation particularly targets edge network appliances, such as VPNs and Outlook Web Access, employing brute-force tools to gain entry while evading EDR detection.
Implications for Cybersecurity
The emergence of AI-powered negotiation functionalities in ransomware operations like GLOBAL GROUP underscores a significant shift in cybercriminal strategies. The automation of negotiation processes not only enhances the efficiency of these operations but also poses new challenges for cybersecurity defenses. Organizations must adapt to these evolving threats by implementing robust security measures, including advanced threat detection systems, regular security audits, and comprehensive employee training programs to mitigate the risks associated with such sophisticated cyber attacks.
Conclusion
GLOBAL GROUP’s integration of AI into its ransomware operations marks a pivotal development in the cyber threat landscape. As cybercriminals continue to leverage advanced technologies to enhance their tactics, it is imperative for organizations to stay vigilant and proactive in their cybersecurity efforts to protect against these increasingly sophisticated threats.
