GLOBAL GROUP is a newly observed ransomware-as-a-service (RaaS) operation, likely a rebranding of the Black Lock RaaS, targeting multiple sectors across the US, Europe, Australia, and Brazil with advanced malware and AI-powered ransom negotiations. The group relies heavily on Initial Access Brokers to gain network entry and deploy ransomware rapidly, emphasizing high-value targets and seven-figure ransom demands. #GLOBALGROUP #BlackLock #Mamona #Ramp4u #InitialAccessBroker
Keypoints
- GLOBAL GROUP was first observed on June 2, 2025, promoted by the threat actor “$$$” on the Ramp4u forum and is assessed to be a rebranding of Black Lock RaaS.
- The ransomware targets diverse sectors including healthcare, oil-and-gas equipment fabrication, industrial machinery, automotive repair, and business process outsourcing across several countries.
- The group uses a Tor-based dedicated leak site hosted on a Russia-based VPS provider, IpServer, previously used by Mamona RaaS.
- GLOBAL GROUP ransomware is a customized variant leveraging Go language and advanced encryption (ChaCha20-Poly1305), with capabilities for rapid domain-wide deployment using SMB and Windows services.
- The ransomware platform employs AI-driven chatbots for automated ransom negotiations, enabling multilingual communication and facilitating million-dollar ransom demands.
- The group relies on Initial Access Brokers (IABs) for access to vulnerable edge devices including Fortinet, Palo Alto, and Cisco VPNs, and also uses brute-force tools targeting Microsoft Outlook and RDWeb portals.
- GLOBAL GROUP offers an affiliate program with an 80-85% revenue share and features a user-friendly affiliate panel for campaign management and payload customization.
- The threat actor “$$$” maintains ties to previous ransomware operations, confirmed through shared infrastructure and code similarities with Mamona and Black Lock ransomware.
MITRE Techniques
- [T1098] Account Manipulation – GLOBAL GROUP employs brute-force tools and password-spraying attacks against VPN and web access portals like Fortinet, Palo Alto, and Cisco for initial network access (‘brute-forcing or exploiting enterprise VPN appliances’).
- [T1078] Valid Accounts – The group acquires and uses VPN credentials and edge device access to obtain privileged access and bypass endpoint detection (‘successful compromising a VPN gateway grants stealthy entry’).
- [T1210] Exploitation of Remote Services – GLOBAL GROUP uses RDP and webshell access for lateral movement and ransomware deployment (‘purchased RDP-level access and webshell access on Linux-based systems such as SAP NetWeaver’).
- [T1053] Scheduled Task/Job – The ransomware includes functionality to create malicious Windows services for automated domain-wide deployment (‘uses SMB connections and malicious Windows service creation for scalable deployment’).
- [T1490] Inhibit System Recovery – The ransomware likely deletes logs and can self-delete to evade detection as configured via operational flags in the affiliate panel (‘custom configurations such as self-delete and log deletion’).
- [T1566] Phishing – Though not explicitly mentioned, negotiation via AI-driven chatbots and automated victim communication suggests social engineering components incorporated in extortion efforts (‘AI-driven negotiation functionality increases psychological pressure’).
Indicators of Compromise
- [IP Address] VPS hosting leak site – 193.19.119[.]4 associated with GLOBAL GROUP DLS, previously used for Mamona operation.
- [IP Address] Ransomware infrastructure – 185.244.151.84, 185.244.151.87 associated with staging domain jacknwoods[.]com linked to Bitter APT (TA397).
- [File Hash] GLOBAL ransomware samples – b5e811d7c104ce8dd2509f809a80932540a21ada0ee9e22ac61d080dc0bd237d, 232f86e26ced211630957baffcd36dd3bcd6a786f3d307127e1ea9a8b31c199f, 28f3de066878cb710fe5d44f7e11f65f25328beff953e00587ffeb5ac4b2faa8, 1f6640102f6472523830d69630def669dc3433bbb1c0e6183458bd792d420f8e.
- [File Hash] Go-based GLOBAL ransomware sample – a8c28bd6f0f1fe6a9b880400853fc86e46d87b69565ef15d8ab757979cd2cc73.
- [Domain] Tor network leak sites – vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id[.]onion, gdbkvfe6g3whrzkdlbytksygk45zwgmnzh5i2xmqyo3mrpipysjagqyd[.]onion for posting stolen data and ransom negotiations.
- [Social Media] Threat actor profile – x[.]com/GlobalTeamLock used for promotion.
Read more: https://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service