GLOBAL GROUP RaaS Operation

Cybersecurity experts have uncovered a fresh Ransomware-as-a-Service (RaaS) operation called GLOBAL GROUP. Since early June 2025, this campaign has been actively targeting organizations across Australia, Brazil, Europe, and the United States. This campaign marks a significant evolution in the ransomware ecosystem.

From BlackLock to GLOBAL GROUP: A Rebranding Strategy

The threat actor known as '$$$,' who previously controlled the BlackLock RaaS and managed the Mamona ransomware operation, is behind this new scheme. GLOBAL GROUP was promoted on the Ramp4u forum and is widely considered to be a rebrand of BlackLock, which itself originated from Eldorado.

The rebranding followed an incident in March 2025, when BlackLock's data leak site was defaced by the DragonForce cartel. By introducing GLOBAL GROUP, the operators aimed to modernize their infrastructure, enhance affiliate appeal, and restore credibility.

Attack Tactics and Entry Vectors

GLOBAL GROUP adopts a financially motivated approach by leveraging Initial Access Brokers (IABs) for network infiltration. These brokers supply pre-compromised access to corporate networks, allowing affiliates to focus on ransomware deployment and negotiations rather than penetration efforts.

Key techniques include:

• Weaponizing access to vulnerable Cisco, Fortinet, and Palo Alto edge appliances
• Using brute-force utilities targeting Microsoft Outlook and RDWeb portals
• Acquiring Remote Desktop Protocol (RDP) or web shell access for law firms and similar targets

Once inside, attackers deploy post-exploitation tools, perform lateral movement, exfiltrate sensitive data, and launch ransomware payloads.

Inside the RaaS Ecosystem

GLOBAL GROUP offers an extensive affiliate panel and negotiation platform. The affiliate panel empowers partners to:

• Build ransomware payloads for VMware ESXi, NAS, BSD, and Windows.
• Track victims and manage operations.
• Utilize mobile-friendly features for real-time management.

Affiliates are promised an 85% revenue share, an attractive incentive for recruitment. The negotiation portal, powered by AI-driven chatbots, enables multilingual interaction, making it easier for non-English-speaking affiliates to engage with victims effectively.

Victim Profile and Global Impact

As of July 14, 2025, GLOBAL GROUP has claimed 17 victims across diverse sectors, including:

• Healthcare
• Oil-and-Gas Equipment Fabrication
• Industrial Machinery and Precision Engineering
• Automotive Repair and Accident-Recovery Services
• Business Process Outsourcing (BPO)

Technical DNA and Evolution

Analysis reveals code similarities between GLOBAL GROUP and Mamona, as well as the use of the same Russian VPS provider (IpServer). The ransomware, written in Go, features domain-wide installation capabilities, setting it apart from earlier versions. This technological shift underscores a strategic move to expand affiliate engagement and boost operational resilience.

Why GLOBAL GROUP Showcases Increasing Risks

The launch of GLOBAL GROUP illustrates a deliberate push by ransomware operators to innovate, incorporating AI-powered negotiations, customizable payload builders, and advanced affiliate incentives. This modernization signals an escalating arms race within the ransomware landscape, posing a significant threat to global cybersecurity defenses.