Cybersecurity researchers have make clear a brand new ransomware-as-a-service (RaaS) operation referred to as GLOBAL GROUP that has focused a variety of sectors in Australia, Brazil, Europe, and the USA since its emergence in early June 2025.
GLOBAL GROUP was “promoted on the Ramp4u discussion board by the risk actor often known as ‘$$$,'” EclecticIQ researcher Arda Büyükkaya stated. “The identical actor controls the BlackLock RaaS and beforehand managed Mamona ransomware operations.”
It is believed that GLOBAL GROUP is a rebranding of BlackLock after the latter’s information leak web site was defaced by the DragonForce ransomware cartel again in March. It is price mentioning that BlackLock in itself is a rebrand of one other RaaS scheme often known as Eldorado.
The financially motivated group has been discovered to lean closely on preliminary entry brokers (IABs) to deploy the ransomware by weaponizing entry to weak edge home equipment from Cisco, Fortinet, and Palo Alto Networks. Additionally put to make use of are brute-force utilities for Microsoft Outlook and RDWeb portals.
$$$ has acquired Distant Desktop Protocol (RDP) or internet shell entry to company networks, corresponding to these associated to legislation companies, as a approach to deploy post-exploitation instruments, conduct lateral motion, siphon information, and deploy the ransomware.
Outsourcing the infiltration section to different risk actors, who provide pre-compromised entry factors into enterprise networks, permits associates to expend their efforts on payload supply, extortion, and negotiation reasonably than community penetration.
The RaaS platform comes with a negotiation portal and an affiliate panel, the latter of which permits cybercriminals to handle victims, construct ransomware payloads for VMware ESXi, NAS, BSD, and Home windows, and monitor operations. In a bid to entice extra associates, the risk actors promise a revenue-sharing mannequin of 85%.
“GLOBAL GROUP’s ransom negotiation panel options an automatic system powered by AI-driven chatbots,” the Dutch safety firm stated. “This permits non-English-speaking associates to have interaction victims extra successfully.”
As of July 14, 2025, the RaaS group has claimed 17 victims in Australia, Brazil, Europe, and the USA, spanning healthcare, oil-and-gas tools fabrication, industrial equipment and precision engineering, automotive restore, accident-recovery companies, and large-scale enterprise course of outsourcing (BPO).
The hyperlinks to BlackLock and Mamona stem from the usage of the identical Russian VPS supplier IpServer and supply code similarities with Mamona. Particularly, GLOBAL GROUP is alleged to be an evolution of Mamona with added options to allow domain-wide ransomware set up. What’s extra, the malware can be written in Go, identical to BlackLock.
“The creation of GLOBAL GROUP by BlackLock’s administrator is a deliberate technique to modernize operations, develop income streams, and keep aggressive within the ransomware market,” Büyükkaya stated. “This new model integrates AI-powered negotiation, mobile-friendly panels, and customizable payload builders, interesting to a broader pool of associates.”
The disclosure comes because the Qilin ransomware group emerged as essentially the most energetic RaaS operation in June 2025, accounting for 81 victims. Different main gamers embrace Akira (34), Play (30), SafePay (27), and DragonForce (25).
“SafePay noticed the steepest decline at 62.5%, suggesting a serious pullback,” cybersecurity firm CYFIRMA stated. “DragonForce emerged quickly, with assaults spiking by 212.5%.”
In all, the entire variety of ransomware victims has dropped from 545 in Could to 463 in June 2025, a 15% decline. February tops this 12 months’s record with 956 victims.
“Regardless of the decline in numbers, geopolitical tensions and high-profile cyber assaults spotlight rising instability, probably heightening the chance of cyber threats,” NCC Group famous late final month.
In accordance with information gathered by Optiv’s International Menace Intelligence Middle (gTIC), 314 ransomware victims have been listed on 74 distinctive information leak websites in Q1 2025, representing a 213% enhance within the variety of victims. A complete of 56 variants have been noticed in Q1 2024.
“Ransomware operators continued to make use of tried-and-true strategies to realize preliminary entry to victims – social engineering/phishing, exploitation of software program vulnerabilities, compromising uncovered and insecure software program, supply-chain assaults and leveraging the preliminary entry dealer (IAB) neighborhood,” Optiv researcher Emily Lee stated.
