GLOBAL GROUP: New Ransomware Giant Emerges with AI Negotiators, Affiliate Incentives, and Industrial-Scale Attacks

A newly branded ransomware outfit, GLOBAL GROUP, has exploded onto the scene with an aggressive campaign that targets critical infrastructure and enterprises across the United States, United Kingdom, Australia, and Brazil. Uncovered by EclecticIQ analysts, this Ransomware-as-a-Service (RaaS) operation appears to be a rebranding of the Black Lock and Mamona RIP campaigns, now evolved into a highly automated, revenue-driven cybercrime syndicate.

Announced on the Ramp4u underground forum by the Russian-speaking actor $$$, GLOBAL GROUP surfaced with a dedicated leak site hosted on the Tor network, showcasing stolen data from 17 confirmed victims within weeks of launching.

Victim sectors include:

• Healthcare providers in Australia and the U.S.
• Oil-and-gas manufacturers in Texas
• Industrial engineering firms in the UK
• Automotive service companies in the UK
• Facilities management providers in Brazil

What sets GLOBAL GROUP apart from typical RaaS models is its automated negotiation system driven by AI chatbots. These tools empower affiliates—especially non-English speakers—to pressure victims, escalate demands, and coordinate ransom payments with unsettling precision.

“The AI-driven negotiation functionality increases psychological pressure during negotiations and facilitates seven-figure ransom demands for decryption keys,” the report writes.

Their ransomware panel, accessible via mobile, enables affiliates to:

• Build ransomware payloads
• Monitor victim interactions
• Set encryption configurations
• Initiate ransom talks instantly

And they’re luring affiliates with up to 85% revenue share, outcompeting other RaaS gangs.

EclecticIQ analysts noted strong links between GLOBAL GROUP and the now-defunct Mamona RIP ransomware. The same threat actor, $$$, reused:

• The mutex key Global\Fxo16jmdgujs437
• VPS infrastructure from Russian provider IpServer
• SSH leak via an exposed JSON API, accidentally revealing IP 193.19.119[.]4 used for their Tor-hosted DLS

“This leak confirmed that victim data was stored on a misconfigured system, reachable over the internet,” the report states.

Moreover, code analysis revealed GLOBAL GROUP’s ransomware is written in Go and uses ChaCha20-Poly1305 encryption, optimized for cross-platform attacks on Windows, Linux, macOS, ESXi, and NAS environments.

GLOBAL GROUP doesn’t rely solely on malware—it buys its way in.

Working with Initial Access Brokers (IABs) like “HuanEbashes”, the group acquires:

• RDP and VPN credentials
• Webshell access to enterprise apps like SAP
• Brute-force tools to target VPNs, OWA, and RDWeb portals

These partnerships allow the ransomware to bypass perimeter defenses, inherit domain privileges, and spread laterally at speed.

GLOBAL ransomware payloads encrypt massive volumes of data across infrastructure—including VMware ESXi hypervisors—shutting down business-critical services instantly. Victims receive ransom notes pointing them to a Tor negotiation portal, where they are prompted to upload encrypted files for verification.

A leaked chat screenshot shows the group demanding $1 million within 48 hours, using psychological pressure and time-sensitive threats to secure fast payouts.

Related Posts:

• Can Trump Save TikTok? President-Elect Takes on Tech Giant’s Future
• North Korea’s Lazarus Group: A Persistent Threat to the Defense Sector
• Trump Extends TikTok’s U.S. Deadline by 75 Days to Secure American Buyer
• RansomHub: A New Ransomware-as-a-Service Threatens Multiple Operating Systems