GLOBAL GROUP RaaS Launches Operations with AI-Powered Negotiation Tools

July 15, 2025
Cybercrime / Ransomware

Cybersecurity researchers have uncovered a new ransomware-as-a-service (RaaS) operation called GLOBAL GROUP, which has been targeting various sectors across Australia, Brazil, Europe, and the United States since its debut in early June 2025. According to EclecticIQ researcher Arda Büyükkaya, GLOBAL GROUP was “advertised on the Ramp4u forum by the threat actor known as ‘$$$.'” This same individual is associated with the BlackLock RaaS and has previously overseen the Mamona ransomware operations. It is believed that GLOBAL GROUP represents a rebranding of BlackLock, following the defacement of its data leak site by the DragonForce ransomware cartel in March. Notably, BlackLock itself was a rebranding of an earlier RaaS scheme called Eldorado. This financially motivated group is known for relying heavily on initial access brokers (IABs) to deploy ransomware, utilizing vulnerable edge appliances from Cisco, Fortinet, and Palo Alto Networks.

GLOBAL GROUP RaaS Expands Operations with Advanced AI Negotiation Tools

July 15, 2025
Cybercrime / Ransomware

A newly identified ransomware-as-a-service (RaaS) entity, referred to as GLOBAL GROUP, has rapidly gained traction, targeting various sectors across Australia, Brazil, Europe, and the United States since its inception in early June 2025. Researchers at EclecticIQ have reported that this operation is being promoted on the Ramp4u forum by a threat actor known as ‘$$$’. This individual is also associated with the previously established BlackLock RaaS and has connections to the earlier Mamona ransomware campaigns.

It appears that GLOBAL GROUP represents a rebranding of BlackLock, particularly following the defacement of BlackLock’s data leak portal by the DragonForce ransomware cartel in March 2025. Notably, BlackLock itself is part of a lineage of RaaS operations, having emerged as a rebranding of another scheme known as Eldorado.

The motivations behind GLOBAL GROUP are primarily financial, as evidenced by its heavy reliance on initial access brokers (IABs). These brokers facilitate the deployment of ransomware by exploiting vulnerabilities in edge devices manufactured by prominent companies like Cisco, Fortinet, and Palo Alto Networks.

This sophisticated attack strategy aligns with several tactics outlined in the MITRE ATT&CK Matrix. Initial access may have been achieved through compromised credentials or exploiting vulnerabilities, while persistence techniques ensure continued access to systems post-exploitation. Once the ransomware is deployed, privilege escalation tactics might be employed to enhance operational effectiveness, thus increasing the financial impact on targeted organizations.

As the threat landscape evolves, understanding the intricate methods employed by such organizations becomes vital for business owners. The emergence of AI-driven negotiation tools within these ransomware frameworks complicates matters further, indicating an upgrade in the sophistication of cybercriminal operations. This reinforces the necessity for continuous vigilance and investment in robust cybersecurity measures.

Given the potential for significant operational disruption and financial loss, targets across various industries must remain proactive in addressing vulnerabilities. Implementing comprehensive cybersecurity strategies, including employee training and the regular updating of systems, can serve as crucial defenses against such evolving threats. As ransomware groups like GLOBAL GROUP continue to adapt and grow, staying informed and prepared is paramount for all organizations.

Source link