A newly surfaced Ransomware-as-a-Service operation, dubbed GLOBAL GROUP, has begun deploying an AI‐driven negotiation tool that elevates the psychological pressure on victims and streamlines extortion workflows for affiliates.
Security researchers at EclecticIQ first identified GLOBAL GROUP’s activity in early June on the Ramp4u underground forum, where the threat actor known as “$$$” shared an onion link to a dedicated leak site and touted a forthcoming full-service RaaS platform.
Subsequent analysis suggests that GLOBAL GROUP represents a rebranding of the Black Lock RaaS operation, itself the successor to the now-defunct Mamona ransomware, all under the direction of the same actor.
GLOBAL GROUP’s infrastructure relies heavily on Initial Access Brokers (IABs) who sell footholds in high-value corporate networks.
These brokers provide remote access via compromised VPN appliances—most notably Fortinet, Palo Alto, and Cisco—alongside webshells for SAP NetWeaver environments and brute-force access to Microsoft Outlook Web Access and RDWeb portals.
Once an affiliate secures entry, they deploy customized ransomware payloads that take advantage of chaos and speed to maximize damage before traditional endpoint defences can react.
The group’s new negotiation system is powered by bespoke AI chatbots that guide victims through a scripted extortion dialogue.
Affiliates select from multiple language options, ensuring non-English-speaking criminals can interact with their targets as fluently as native speakers.
Once engaged, the AI progressively tightens the time pressure, threatening data leaks and public shaming if victims delay.
According to EclecticIQ, some victims have been presented with seven-figure demands—commonly exceeding one million U.S. dollars for decryption keys—and given as little as 48 hours to respond.
Behind the scenes, GLOBAL GROUP’s leak site exposes compromised data sets belonging to healthcare providers in the United States and Australia, an industrial machinery firm in the United Kingdom, and other targets in regions such as Brazil.
Researchers traced the site’s real IP to a Russia-based VPS provider long associated with Mamona’s operations, confirming the threat actor’s identity through repeated infrastructure reuse and operational security lapses.
Affiliates of GLOBAL GROUP are promised an 80 to 85 percent share of ransom payments, a model designed to lure seasoned cybercriminals away from rival RaaS offerings.
The platform’s affiliate dashboard allows operators to build cross-platform payloads for Windows, Linux, ESXi, and BSD, to configure encryption flags, and to initiate automated domain-wide deployments using SMB and malicious Windows services.
This degree of customization, paired with the AI negotiation interface, signals a maturation of the RaaS market into a competitive “service economy” for cybercrime.
While law-enforcement and cybersecurity firms increase pressure on ransomware syndicates, GLOBAL GROUP’s rapid victim accrual and seven-figure extortion demands illustrate that RaaS operations remain resilient and are now leveraging artificial intelligence to sustain and scale their profits.
Continued monitoring of GLOBAL GROUP’s evolving tactics will be critical to developing more robust defensive strategies and disrupting the affiliate networks that fuel these sophisticated ransomware campaigns.
Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.
