GLOBAL GROUP RaaS Operators Enable AI-driven Negotiation Functionality

A sophisticated new ransomware-as-a-service operation has emerged with advanced AI-powered negotiation capabilities and mobile management features, targeting organizations across healthcare, automotive, and industrial sectors.

GLOBAL GROUP, operated by threat actor “$$$”, has claimed 17 victims across multiple countries since its June 2025 launch, demonstrating rapid operational scaling through automated systems and strategic partnerships with Initial Access Brokers.

Key Takeaways
1. GLOBAL GROUP launched in June 2025 as a rebranded Black Lock RaaS operation, claiming 17 victims across the US, UK, Australia, and Brazil.
2. AI-powered negotiation system automates victim communications and enables non-English speaking affiliates to demand seven-figure ransoms.
3. Partnerships with Initial Access Brokers and brute-force tools targeting VPN/Outlook systems accelerate deployment while bypassing EDR detection.
4. Mobile-friendly affiliate panel supports cross-platform ransomware builds with an 85% revenue-sharing model to attract new operatives.

AI-Powered Negotiation System 

GLOBAL GROUP first appeared on June 2, 2025, when threat actor “$$$” promoted the operation on the Ramp4u cybercriminal forum. 

The group’s dedicated leak site, accessible via Tor address vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id[.]onion, initially listed nine victims within five days of launch. 

By July 14, 2025, the operation had expanded to 17 confirmed victims spanning the United States, the United Kingdom, Australia, and Brazil.

EclecticIQ analysts assess with medium confidence that GLOBAL GROUP represents a rebranding of the Black Lock RaaS operation. 

Technical evidence supports this connection, including shared infrastructure hosted by Russian VPS provider IpServer at IP address 193.19.119[.]4. 

An operational security failure exposed this infrastructure when the group’s API endpoint /posts leaked JSON metadata containing the real hosting environment details.

Malware analysis reveals that GLOBAL GROUP uses a customized variant of the previous Mamona ransomware, sharing the identical mutex key GlobalFxo16jmdgujs437. 

The current variant, compiled in Golang, employs ChaCha20-Poly1305 encryption and supports cross-platform deployment across Windows, Linux, and macOS environments.

GLOBAL GROUP’s most distinctive feature is its AI-driven negotiation panel, designed to assist non-English-speaking affiliates in victim communications. 

This automated system increases psychological pressure during ransom negotiations and facilitates seven-figure payment demands. Recent negotiations have shown demands reaching $1 million USD (approximately 9.5 BTC).

The operation offers an 85% revenue-sharing model to attract affiliates, positioning itself competitively against other RaaS operators. 

A promotional video on the leak site showcases a comprehensive affiliate panel supporting mobile device management, allowing operatives to conduct negotiations via smartphones. 

The platform supports custom ransomware builds for ESXi, NAS, BSD, and Windows systems while claiming to be “undetectable by EDR”.

GLOBAL GROUP accelerates operations through partnerships with Initial Access Brokers (IABs), purchasing pre-compromised network access rather than conducting initial infiltration. 

Threat actor “$$$” has acquired RDP access to U.S. law firms and webshell access to Linux-based SAP NetWeaver systems. The operation particularly targets edge network appliances, including Fortinet, Palo Alto, and Cisco VPN devices.

The group also utilizes brute-force tools targeting Microsoft Outlook Web Access and RDWeb portals, enabling rapid deployment while bypassing traditional endpoint detection systems. 

This strategy allows affiliates to focus on payload delivery and extortion rather than network penetration, significantly reducing time-to-compromise.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now