Cybersecurity researchers have shed light on a new ransomware-as-a-service (RaaS) operation called GLOBAL GROUP that has targeted a wide range of sectors in Australia, Brazil, Europe, and the United States since its emergence in early June 2025.
GLOBAL GROUP was “promoted on the Ramp4u forum by the threat actor known as ‘$$$,'” EclecticIQ researcher Arda Büyükkaya said. “The same actor controls the BlackLock RaaS and previously managed Mamona ransomware operations.”
It’s believed that GLOBAL GROUP is a rebranding of BlackLock after the latter’s data leak site was defaced by the DragonForce ransomware cartel back in March. It’s worth mentioning that BlackLock in itself is a rebrand of another RaaS scheme known as Eldorado.
The financially motivated group has been found to lean heavily on initial access brokers (IABs) to deploy the ransomware by weaponizing access to vulnerable edge appliances from Cisco, Fortinet, and Palo Alto Networks. Also put to use are brute-force utilities for Microsoft Outlook and RDWeb portals.
$$$ has acquired Remote Desktop Protocol (RDP) or web shell access to corporate networks, such as those related to law firms, as a way to deploy post-exploitation tools, conduct lateral movement, siphon data, and deploy the ransomware.
Outsourcing the infiltration phase to other threat actors, who supply pre-compromised entry points into enterprise networks, allows affiliates to expend their efforts on payload delivery, extortion, and negotiation rather than network penetration.
The RaaS platform comes with a negotiation portal and an affiliate panel, the latter of which allows cybercriminals to manage victims, build ransomware payloads for VMware ESXi, NAS, BSD, and Windows, and monitor operations. In a bid to entice more affiliates, the threat actors promise a revenue-sharing model of 85%.
“GLOBAL GROUP’s ransom negotiation panel features an automated system powered by AI-driven chatbots,” the Dutch security company said. “This enables non-English-speaking affiliates to engage victims more effectively.”
As of July 14, 2025, the RaaS group has claimed 17 victims in Australia, Brazil, Europe, and the United States, spanning healthcare, oil-and-gas equipment fabrication, industrial machinery and precision engineering, automotive repair, accident-recovery services, and large-scale business process outsourcing (BPO).
The links to BlackLock and Mamona stem from the use of the same Russian VPS provider IpServer and source code similarities with Mamona. Specifically, GLOBAL GROUP is said to be an evolution of Mamona with added features to enable domain-wide ransomware installation. What’s more, the malware is also written in Go, just like BlackLock.
“The creation of GLOBAL GROUP by BlackLock’s administrator is a deliberate strategy to modernize operations, expand revenue streams, and stay competitive in the ransomware market,” Büyükkaya said. “This new brand integrates AI-powered negotiation, mobile-friendly panels, and customizable payload builders, appealing to a broader pool of affiliates.”
The disclosure comes as the Qilin ransomware group emerged as the most active RaaS operation in June 2025, accounting for 81 victims. Other major players include Akira (34), Play (30), SafePay (27), and DragonForce (25).
“SafePay saw the steepest decline at 62.5%, suggesting a major pullback,” cybersecurity company CYFIRMA said. “DragonForce emerged rapidly, with attacks spiking by 212.5%.”
In all, the total number of ransomware victims has dropped from 545 in May to 463 in June 2025, a 15% decline. February tops this year’s list with 956 victims.
“Despite the decline in numbers, geopolitical tensions and high-profile cyber attacks highlight growing instability, potentially heightening the risk of cyber threats,” NCC Group noted late last month.
According to data gathered by Optiv’s Global Threat Intelligence Center (gTIC), 314 ransomware victims were listed on 74 unique data leak sites in Q1 2025, representing a 213% increase in the number of victims. A total of 56 variants were observed in Q1 2024.
“Ransomware operators continued to use tried-and-true methods to gain initial access to victims – social engineering/phishing, exploitation of software vulnerabilities, compromising exposed and insecure software, supply-chain attacks and leveraging the initial access broker (IAB) community,” Optiv researcher Emily Lee said.
