A New Player in the Ransomware Scene
A new ransomware-as-a-service (RaaS) group, GLOBAL GROUP, is expanding fast. Since June 2025, it has attacked organizations in Australia, Brazil, Europe, and the United States.
Researchers link the group to a threat actor called “$$$.” This individual also managed previous schemes like BlackLock and Mamona. Notably, GLOBAL GROUP appears to be a rebrand of BlackLock. That change likely followed a cyberattack on BlackLock’s data leak site by a rival group.
Therefore, this rebranding signals a fresh attempt to stay competitive and hidden in the evolving RaaS market.
How the Ransomware Spreads
GLOBAL GROUP depends on initial access brokers (IABs). These third parties provide access to already-compromised networks.
Instead of hacking networks directly, affiliates buy access from IABs. Then, they use that access to deliver ransomware and demand payment. As a result, they focus on profit, not infiltration.
To breach systems, GLOBAL GROUP also exploits vulnerable devices from well-known vendors. It uses brute-force tools to crack login portals like Outlook and RDWeb.
In some cases, the attackers enter networks via Remote Desktop Protocol (RDP) or web shells, especially in law firms. Once inside, they move laterally, steal data, and launch ransomware.
AI Chatbots Automate Extortion
One of GLOBAL GROUP’s key innovations is its AI-powered negotiation portal. This feature helps even non-English-speaking hackers communicate with victims effectively.
Moreover, affiliates get access to a control panel where they can:
- Generate ransomware for Windows, NAS, BSD, and VMware
- Track infected targets in real time
- Manage encrypted files and negotiations
- Customize payloads for specific systems
Since affiliates keep 85% of the ransom, the group’s model is highly appealing to cybercriminals.
Victims Across Multiple Industries
By mid-July 2025, GLOBAL GROUP had listed 17 victims. These include companies in:
- Healthcare
- Oil and gas manufacturing
- Precision engineering and industrial equipment
- Automotive repair and accident services
- Business process outsourcing (BPO)
Clearly, the group’s focus spans critical and high-value sectors. Their goal is financial gain, not political messaging.
A Web of Rebranded Operations
GLOBAL GROUP didn’t emerge from nowhere. It evolved from earlier groups like Mamona and BlackLock. All three use Go programming language, which enables cross-platform attacks.
Additionally, they share infrastructure, such as a Russian VPS provider. These technical similarities point to a single administrator running all three brands.
According to researchers, this strategic rebrand aims to modernize operations and boost revenue.
RaaS Competition Is Rising
While GLOBAL GROUP grows, it faces stiff competition. In June 2025, the Qilin ransomware group was the most active, recording 81 attacks.
Other key players included:
- Akira (34 attacks)
- Play (30)
- SafePay (27)
- DragonForce (25)
Interestingly, SafePay saw a major decline in attacks, while DragonForce activity spiked by over 200%. Although the total number of victims dropped from 545 in May to 463 in June, risks remain high.
This shows that while one group fades, another quickly takes its place.
The Bigger Picture: Ransomware Trends in 2025
Ransomware is far from slowing down. In Q1 2025, researchers reported 314 victims across 74 data leak sites. That’s a 213% increase over the previous year.
Attackers still rely on proven methods, including:
- Phishing and social engineering
- Exploiting outdated software
- Insecure third-party apps
- Compromised access via IABs
Even as fewer victims are reported month to month, the overall scale of ransomware continues to grow.
How to Prevent These Attacks
To defend against groups like GLOBAL GROUP, companies must stop them before they gain access. Therefore, strong perimeter security is essential.
Use tools that detect brute-force attempts, patch edge vulnerabilities, and monitor unusual logins. In addition, deploy systems that analyze behavior and block unauthorized remote activity in real time.
Some advanced platforms offer automatic response features that isolate ransomware infections before they spread. These tools help IT teams act quickly, even against threats that use AI to negotiate ransoms.
Sleep well, we got you covered.
