Cybersecurity researchers have make clear a brand new ransomware-as-a-service (RaaS) operation known as GLOBAL GROUP that has focused a variety of sectors in Australia, Brazil, Europe, and the US since its emergence in early June 2025.
GLOBAL GROUP was “promoted on the Ramp4u discussion board by the menace actor often called ‘$$$,'” EclecticIQ researcher Arda Büyükkaya mentioned. “The identical actor controls the BlackLock RaaS and beforehand managed Mamona ransomware operations.”
It is believed that GLOBAL GROUP is a rebranding of BlackLock after the latter’s information leak website was defaced by the DragonForce ransomware cartel again in March. It is value mentioning that BlackLock in itself is a rebrand of one other RaaS scheme often called Eldorado.
The financially motivated group has been discovered to lean closely on preliminary entry brokers (IABs) to deploy the ransomware by weaponizing entry to weak edge home equipment from Cisco, Fortinet, and Palo Alto Networks. Additionally put to make use of are brute-force utilities for Microsoft Outlook and RDWeb portals.
$$$ has acquired Distant Desktop Protocol (RDP) or net shell entry to company networks, equivalent to these associated to legislation companies, as a solution to deploy post-exploitation instruments, conduct lateral motion, siphon information, and deploy the ransomware.
Outsourcing the infiltration section to different menace actors, who provide pre-compromised entry factors into enterprise networks, permits associates to expend their efforts on payload supply, extortion, and negotiation quite than community penetration.
The RaaS platform comes with a negotiation portal and an affiliate panel, the latter of which permits cybercriminals to handle victims, construct ransomware payloads for VMware ESXi, NAS, BSD, and Home windows, and monitor operations. In a bid to entice extra associates, the menace actors promise a revenue-sharing mannequin of 85%.
“GLOBAL GROUP’s ransom negotiation panel options an automatic system powered by AI-driven chatbots,” the Dutch safety firm mentioned. “This allows non-English-speaking associates to interact victims extra successfully.”
As of July 14, 2025, the RaaS group has claimed 17 victims in Australia, Brazil, Europe, and the US, spanning healthcare, oil-and-gas tools fabrication, industrial equipment and precision engineering, automotive restore, accident-recovery companies, and large-scale enterprise course of outsourcing (BPO).
The hyperlinks to BlackLock and Mamona stem from the usage of the identical Russian VPS supplier IpServer and supply code similarities with Mamona. Particularly, GLOBAL GROUP is alleged to be an evolution of Mamona with added options to allow domain-wide ransomware set up. What’s extra, the malware can also be written in Go, identical to BlackLock.
“The creation of GLOBAL GROUP by BlackLock’s administrator is a deliberate technique to modernize operations, broaden income streams, and keep aggressive within the ransomware market,” Büyükkaya mentioned. “This new model integrates AI-powered negotiation, mobile-friendly panels, and customizable payload builders, interesting to a broader pool of associates.”
The disclosure comes because the Qilin ransomware group emerged as essentially the most energetic RaaS operation in June 2025, accounting for 81 victims. Different main gamers embrace Akira (34), Play (30), SafePay (27), and DragonForce (25).
“SafePay noticed the steepest decline at 62.5%, suggesting a serious pullback,” cybersecurity firm CYFIRMA mentioned. “DragonForce emerged quickly, with assaults spiking by 212.5%.”
In all, the whole variety of ransomware victims has dropped from 545 in Might to 463 in June 2025, a 15% decline. February tops this yr’s record with 956 victims.
“Regardless of the decline in numbers, geopolitical tensions and high-profile cyber assaults spotlight rising instability, doubtlessly heightening the chance of cyber threats,” NCC Group famous late final month.
In accordance with information gathered by Optiv’s World Menace Intelligence Middle (gTIC), 314 ransomware victims had been listed on 74 distinctive information leak websites in Q1 2025, representing a 213% enhance within the variety of victims. A complete of 56 variants had been noticed in Q1 2024.
“Ransomware operators continued to make use of tried-and-true strategies to realize preliminary entry to victims – social engineering/phishing, exploitation of software program vulnerabilities, compromising uncovered and insecure software program, supply-chain assaults and leveraging the preliminary entry dealer (IAB) neighborhood,” Optiv researcher Emily Lee mentioned.