GLOBAL GROUP: AI-Powered Ransomware Threatens Global Critical Infrastructure
A cybercriminal collective has launched a new Ransomware-as-a-Service (RaaS) platform known as GLOBAL GROUP, actively targeting organizations across Australia, Brazil, Europe, and the United States since early June 2025. According to EclecticIQ, the operation is spearheaded by an individual using the alias “$$$,” previously linked to the BlackLock and Mamona ransomware campaigns. GLOBAL GROUP is believed to be a rebranded incarnation of BlackLock, itself a successor to the Eldorado scheme. The rebranding reportedly followed the takedown of BlackLock’s data leak site by a rival group, DragonForce, in March.
GLOBAL GROUP employs a calculated and aggressive strategy, heavily reliant on Initial Access Brokers (IABs). These intermediaries facilitate entry through compromised devices from vendors such as Cisco, Fortinet, and Palo Alto Networks, as well as via brute-force attacks on Microsoft Outlook and RDWeb portals. The threat actor “$$$” is known to have obtained access through RDP protocols and web shells into corporate environments, including law firms, enabling the deployment of post-exploitation tools, lateral movement within networks, data exfiltration, and the eventual detonation of ransomware payloads.
This operational model allows affiliates to focus solely on payload delivery, extortion, and negotiation, while bypassing the complexities of initial access. The GLOBAL GROUP infrastructure includes a dedicated partner dashboard and a negotiation interface supported by AI-powered chatbots—particularly beneficial for non-English-speaking affiliates, as it streamlines victim communication.
The RaaS platform facilitates the creation of payloads compatible with VMware ESXi, NAS, BSD, and Windows systems, and allows affiliates to monitor attack progress in real-time. With revenue shares reaching up to 85%, the platform presents an enticing alternative in a competitive landscape.
As of July 14, 2025, GLOBAL GROUP had claimed 17 victims spanning the healthcare, engineering, oil and gas, automotive services, disaster recovery, and large-scale business process outsourcing sectors.
Links between GLOBAL GROUP, BlackLock, and Mamona are evident through shared infrastructure—namely, the use of the Russian VPS provider IpServer—and overlapping codebases. The GLOBAL GROUP ransomware is developed in Go, mirroring the design of its predecessors. In essence, the platform represents an evolved form of Mamona, now equipped with domain-wide propagation capabilities.
The launch of GLOBAL GROUP appears to be a strategic maneuver by the BlackLock leadership—an effort to modernize tooling, attract new collaborators, and maintain competitiveness. Enhancements include mobile device support, custom ransomware generation, and AI integration within the affiliate panel.
In parallel with the emergence of GLOBAL GROUP, the Qilin platform surged to become the most active RaaS collective in June 2025, with 81 confirmed attacks. Trailing behind were Akira (34), Play (30), SafePay (27), and DragonForce (25). Notably, SafePay’s activity declined by 62.5%, while DragonForce saw a dramatic increase of 212.5%.
Overall, the volume of ransomware attacks fell from 545 incidents in May to 463 in June—a 15% decrease. However, February 2025 remains the most devastating month to date, with 956 recorded victims.
According to Optiv’s Global Threat Intelligence Center, 314 victims were listed across 74 leak sites in Q1 2025—marking a 213% increase compared to the same period in 2024. Analysts note that cybercriminals continue to rely on traditional entry methods, including phishing, vulnerability exploitation, exposed service breaches, and supply chain compromise. Initial Access Brokers remain central to this ecosystem, offering ready-made footholds to threat actors.
