GLOBAL GROUP Emerging Ransomware-as-a-Service, Supporting AI Driven Negotiation and Mobile Control Panel for Their Affiliates

On June 2, 2025, EclecticIQ analysts observed the emergence of GLOBAL GROUP, a new Ransomware-as-a-Service (RaaS) brand promoted on the Ramp4u forum by the threat actor known as “$$$”. The same actor controls the Black Lock RaaS and previously managed Mamona ransomware operations. GLOBAL GROUP targets a wide range of sectors across the United States and Europe.

EclecticIQ assesses with medium confidence that GLOBAL GROUP was likely established as a rebranding of the BlackLock RaaS operation. This rebranding aims to rebuild trust and expand the affiliate network by giving 80% of extorted ransom money to affiliates.

GLOBAL GROUP operates a dedicated leak site (DLS) on the Tor network. EclecticIQ analysts traced the real IP address of the DLS to a Russia-based Virtual Private Server (VPS) provider service called IpServer. The same VPS provider was previously used by Mamona RaaS gang. The site already lists confirmed victims, including healthcare providers in the United States and Australia, and an automotive services firm in the United Kingdom.

To read the complete article see: here.