{
	"id": "edc0b329-90b7-4165-97e2-2ab0dc5c9b05",
	"created_at": "2026-04-06T00:17:26.853337Z",
	"updated_at": "2026-04-10T03:22:12.7285Z",
	"deleted_at": null,
	"sha1_hash": "36946615affd0ae9bdf0753f641e7d7142ecb996",
	"title": "GLOBAL GROUP: Emerging Ransomware-as-a-Service, supporting AI driven negotiation and mobile control panel for their affiliates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1455127,
	"plain_text": "GLOBAL GROUP: Emerging Ransomware-as-a-Service, supporting\r\nAI driven negotiation and mobile control panel for their affiliates\r\nArchived: 2026-04-05 19:25:40 UTC\r\nExecutive summary\r\nOn June 2, 2025, EclecticIQ analysts observed the emergence of GLOBAL GROUP, a new Ransomware-as-a-Service\r\n(RaaS) brand promoted on the Ramp4u forum by the threat actor known as “$$$”. The same actor controls the Black\r\nLock RaaS [1] and previously managed Mamona [2] ransomware operations. GLOBAL GROUP targets a wide range\r\nof sectors across the United States and Europe.  \r\nEclecticIQ assesses with medium confidence that GLOBAL GROUP was likely established as a rebranding of the\r\nBlackLock RaaS operation. This rebranding aims to rebuild trust and expand the affiliate network by giving 80% of\r\nextorted ransom money to affiliates. \r\nGLOBAL GROUP operates a dedicated leak site (DLS) on the Tor network. EclecticIQ analysts traced the real IP\r\naddress of the DLS to a Russia-based Virtual Private Server (VPS) provider service called IpServer. Same VPS\r\nprovider was previously used by Mamona RaaS gang. The site already lists confirmed victims, including healthcare\r\nproviders in the United States and Australia, and an automotive services firm in the United Kingdom. \r\nGLOBAL GROUP heavily relies on Initial Access Brokers (IABs) to acquire access to vulnerable edge appliances.\r\nThese include Fortinet, Palo Alto, and Cisco devices. The group also uses brute-force tools for Microsoft Outlook and\r\nRDWeb portals. These enable high-privilege initial access and rapid ransomware deployment, often bypassing\r\ntraditional EDR solutions.  \r\nAnalysts also observed that GLOBAL GROUP’s ransom negotiation panel features an automated system powered by\r\nAI-driven chatbots. This enables non-English-speaking affiliates to engage victims more effectively. The AI-driven\r\nnegotiation functionality increases psychological pressure during negotiations and facilitates seven-figure ransom\r\ndemands for decryption keys.  \r\nGLOBAL GROUP ransomware emerges with nine victims in five days \r\nOn June 2, 2025, EclecticIQ analysts observed the emergence of a new ransomware group called GLOBAL GROUP.\r\nThe group made its first public appearance in a chatroom of the Ramp4u forum. A Russian-speaking threat actor using\r\nthe alias \"$$$\" sent a chat message that contained an onion link to GLOBAL GROUP’s dedicated leak site. The actor\r\naccidentally named the group \"GLOBALY\", a misspelling that indicate threat actor is not a native English speaker. \r\nIn the same message, actor “$$$” clarified that GLOBAL GROUP is not yet a fully operational Ransomware-as-a-Service (RaaS). Despite the disclaimer, on June 26, 2025, EclecticIQ analysts observed GLOBAL GROUP\r\nannouncing that 'GLOBAL RaaS officially released,' indicating the launch of a ransomware-as-a-service (RaaS)\r\noffering. \r\nhttps://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service\r\nPage 1 of 13\n\nFigure 1 - On Ramp4u forum, threat actor “$$$” shared the DLS in an announcement of GLOBAL GROUP. \r\nGLOBAL GROUP ransomware initially emerged with nine victims in five days. As of July 14, 2025, the group has\r\nclaimed responsibility for 17 victims across multiple countries and industries. The majority belong to the healthcare\r\nsector and are located across regions including:  \r\nHealthcare providers in Australia and the United States \r\nOil-and-gas equipment fabrication in Texas, United States \r\nIndustrial machinery and precision engineering in the United Kingdom \r\nAutomotive repair and accident-recovery services in the United Kingdom \r\nLarge-scale business-process outsourcing and facilities-management services in Brazil \r\nAll nine organizations were posted between June 2–7, 2025. This demonstrates a broad geographic reach and a\r\ndiverse range of industry targets across the United States, United Kingdom, Australia, and Brazil.  \r\nThe DLS is accessible via the below Onion address: \r\nvg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id[.]onion \r\nhttps://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service\r\nPage 2 of 13\n\nFigure 2 - GLOBAL GROUP DLS hosted on the Tor\r\nnetwork. \r\nOPSEC failure and shared malware mutex links GLOBAL GROUP to previous\r\nmamona operations \r\nAnalysts assess with high confidence that the same actor operating under the persona '$$$' behind GLOBAL GROUP\r\nwas also responsible for the now-defunct Mamona RIP ransomware operation. \r\nMultiple pieces of technical evidence confirm this connection between the two ransomware operations. \r\nShared infrastructure evidence \r\nEclecticIQ analysts observed that both operations use the same Russian VPS provider called IpServer. [3] The\r\nprovider was previously used by threat actor \"$$$\" to manage Mamona RIP Ransomware at IP address\r\n185.158.113[.]114.  \r\nGLOBAL GROUP's current infrastructure uses the same provider at IP address 193.19.119[.]4 under port 3304. This\r\nconnection was revealed through an operational security (OPSEC) mistake in GLOBAL GROUP's infrastructure. The\r\ngroup attempted to hide their leak site behind a Tor hidden service. However, an exposed API endpoint /posts returned\r\nJSON metadata that revealed the real-world hosting environment. Inside the returned JSON field, the\r\nsshConnectionName section for each victim entry included IP address 193.19.119[.]4 and a SSH username as\r\ndataleak. This leak confirmed that victim data was stored on a misconfigured system, reachable over the internet. \r\nhttps://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service\r\nPage 3 of 13\n\nFigure\r\n3 - API leaking the real IP address of the data leak site.  \r\nMalware code similarities \r\nAnalysis of the GLOBAL ransomware sample confirms the group uses a customized variant of Mamona ransomware.\r\nBoth malware strains use the identical mutex key Global\\Fxo16jmdgujs437. Unlike Mamona Ransomware, GLOBAL\r\nincludes added functionality for automated domain-wide ransomware installation. It uses SMB connections and\r\nmalicious Windows service creation for more scalable deployment. \r\nOn June 7, 2025, a VirusTotal user uploaded a Golang-compiled variant of the GLOBAL ransomware. The sample is\r\nbuilt in the Go programming language and uses the modern encryption routine ChaCha20-Poly1305. The payload\r\nleverages Go's ability to run many parallel threads automatically. This allows it to encrypt huge volumes of data in\r\nminutes on Windows, Linux, or macOS from one self-contained binary. \r\nFigure\r\n4 - README message inside the GO Based GLOBAL ransomware sample.\r\nPossible rebranding for Black Lock RaaS  \r\nEclecticIQ analysts assess with medium confidence that the threat actor \"$$$\" is rebranding the Black Lock\r\nransomware (previously known as El Dorado) [5] operation as \"GLOBAL GROUP\".  \r\nEclecticIQ analysts observed that threat actor “$$$” has a scannable QR code in their Ramp4u profile that shows a\r\nqTOX [7] ID for encrypted communication. This is linked to the Black Lock Ransomware profile. Ransomware\r\noperators commonly use qTOX, an open-source encrypted messaging application, for affiliate management,\r\nhttps://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service\r\nPage 4 of 13\n\ncybercriminal communication, and ransom negotiation with victims. The application's decentralized architecture and\r\nstrong encryption provide operational security advantages. \r\nThe qTOX ID of the threat actor “$$$”:  \r\n667798F921A68529C74094664C1B890D4E1156C4588906071398FA4F76C 2095C2B3AC79FF086 \r\nFigure 5 -  Black Lock admin\r\nchanged qTOX account to “Global Black Lock”.\r\nAnalysts observed that, on June 6, 2025, “$$$” changed the qTOX display name from \"Black Lock\" to \"Global Black\r\nLock,\" indicating a shift toward new brand identity as GLOBAL. Black Lock was another RaaS operation that first\r\nemerged in January 2025. \r\nBlack Lock's reputation suffered significant damage. Researchers from Resecurity exposed the Black Lock dedicated\r\nleak site [6] and other cybercriminals posted vulnerability details in the same advertisement thread, that leads to\r\ndamaging Black Lock's reputation within underground communities. \r\nBlack Lock DLS site remains active without corresponding brand changes, suggesting the rebranding effort may be\r\nincomplete or actor “$$$” decided to manage two separate RaaS groups at the same time. \r\nFigure\r\n6 - Threat actor $$$ advertising Black Lock RaaS on Ramp4u.\r\nGLOBAL GROUP markets RaaS platform with 85% revenue share \r\nGLOBAL GROUP hosts a promotional video on their DLS. The video shows a fully featured Ransomware-as-a-Service (RaaS) platform with a negotiation portal and an affiliation panel. Analysts assess with high confidence that\r\nhttps://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service\r\nPage 5 of 13\n\nthis video is aimed at attracting new affiliates.  \r\nFigure\r\n7 -  Video advertisement on the data leak site.\r\nThe promotional video showcases an interactive affiliate panel that allows cybercriminals to manage victims, build\r\nransomware payloads, and monitor operations. The interface enables custom configurations such as encryption\r\npercentage, file extension naming to replace each encrypted file with a specific extension, and operational flags (e.g.,\r\nself-delete, log deletion, service termination).  \r\nFigure 8 - Affiliate panel from the advertisement video.\r\nThe platform claims to support cross-platform ransomware builds such as: ESXi, NAS, BSD, and Windows OS. The\r\naffiliate panel is also supporting mobile devices where RaaS members can negotiate ransom payment over their\r\nmobile phones. The RaaS brands itself as 'undetectable by EDR' and promotes AI-powered ransom negotiation to\r\nimprove affiliate workflows. \r\nhttps://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service\r\nPage 6 of 13\n\nFigure\r\n9 - Examples of the affiliate panel on mobile devices. \r\nGLOBAL GROUP promises a revenue-sharing model of 85%, positioning itself as a competitor to other RaaS\r\noperators. The advertisement video and marketing tone suggest GLOBAL GROUP is trying to attract more affiliates,\r\nhighlighting their intent to scale ransomware operations.  \r\nFigure\r\n10 - 85% revenue share percentage in GLOBAL Raas. \r\nThe ransom note from recent intrusions directs victims to initiate negotiations via a dedicated Tor-based portal located\r\nat:  \r\ngdbkvfe6g3whrzkdlbytksygk45zwgmnzh5i2xmqyo3mrpipysjagqyd[.]onion \r\nFigure 11 - GLOBAL ransomware readme file dropped after the encryption.\r\nhttps://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service\r\nPage 7 of 13\n\nVictims are instructed to verify the breach by uploading an encrypted file for free decryption. They are warned of\r\npublic data leaks if negotiations are not initiated within three days. This showcases a mature extortion ecosystem with\r\nautomated victim onboarding via a custom chat interface on the Tor network. \r\nFigure\r\n12 - Negotiation panel; the threat actor demands 1 million US dollars for the decryption key.\r\nFigure 12 shows a GLOBAL GROUP negotiation panel. An affiliate demanded $1 million (approximately 9.5 BTC at\r\nthe time) from a victim within 48 hours. This illustrates the group's strategy of targeting high-value ransoms,\r\nfrequently seeking seven-figure payments through data extortion.\r\nBuying remote access from initial access brokers \r\nGLOBAL GROUP RaaS manager (aka $$$) routinely looks for remote access to corporate networks through Initial\r\nAccess Brokers (IABs). These purchases typically involve several methods: \r\nRDP/Webshell access to high-value targets: The threat actor has acquired RDP-level access to a U.S. law-firm environment protected by standard AV. \r\nDomain user \u0026 local admin privileges via webshells: The actor has purchased webshell access on Linux-based systems such as SAP NetWeaver granting direct footholds in target networks. \r\nVPN credentials and edge-device exploits: The actor shows clear interest in brute-forcing or exploiting\r\nenterprise VPN appliances (Fortinet, Palo Alto, Cisco), aiming to gain initial entry at the network perimeter. \r\n“$$$” combine these access vectors for rapid deployment, and quickly deploy post-exploitation tooling for lateral\r\nmovement. The actor then exfiltrates large amount of sensitive data for extortion. This lifecycle usually ends with\r\nransomware execution across compromised networks. \r\nhttps://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service\r\nPage 8 of 13\n\nAcquisition for remote desktop protocol (RDP) access on U.S. based law-firm \r\nOn February 17, 2025, a Russian-speaking Initial Access Broker (IAB) using the alias “HuanEbashes” posted an\r\nadvertisement on the Ramp4u forum. The post offered RDP access to a U.S.-based law firm. The broker noted the\r\npresence of legal personnel, a domain-connected system, and confirmation of access to financial and income-related\r\ndata. These characteristics made the target attractive to ransomware operators. The broker highlighted that they had\r\nnot verified antivirus protections on the victim’s system and set the initial asking price at $1,000, with room for\r\nnegotiation. \r\nFigure\r\n13 - Threat actor “$$$” engaging with initial access broker “HuanEbashes” on Ramp4u.\r\nFigure 14 shows a response from threat actor “$$$” who expressed interest and clarified his willingness to either\r\npurchase the access outright or enter into a profit-sharing agreement. The latter would involve using his own\r\nransomware service against that U.S.-based victim. \r\nhttps://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service\r\nPage 9 of 13\n\nFigure\r\n14 - Communication between “HuanEbashes” and “$$$” about profit-sharing agreement.\r\nThis exchange indicates active collaboration between access brokers and ransomware actors with a focus on targeting\r\nhigh-value institutions for potential high returns. The law firm's internal access, paired with financial and legal-sensitive data, makes it an attractive target for data extortion. The initial access broker's willingness to negotiate and\r\nthe affiliate’s operational readiness demonstrate a service-oriented criminal ecosystem that works like a real enterprise\r\nwho are open for any kind of collaboration for profit. \r\nHuanEbashes selling VPN Brute-force tools and possible interest from GLOBAL GROUP \r\nOn May 19, “HuanEbashes” posted another advertisement for a newly developed “Brute VPN” tool. The actor\r\nexplained that this tool was specifically designed to automate password-spraying attacks against a variety of VPN and\r\nweb-access portals used by corporate networks. The post highlighted a base price of $400.  \r\nAccording to the post, the tool targets products including Fortinet VPN, Palo Alto GlobalProtect, and Cisco VPN. \r\nBesides the VPN solution, threat actor “HuanEbashes” also mentioned two internet-facing applications used in the\r\nMicrosoft ecosystem. These are also within the scope of this brute forcing tool: Outlook Web Access (OWA/Outlook\r\nWeb Access) and RDWeb (Remote Desktop Web Access). \r\nEclecticIQ analysts observed multiple interactions between threat actor “$$$” and IAB persona called\r\n“HuanEbashes” suggesting the two are likely establishing a business arrangement to scale the ransomware\r\nhttps://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service\r\nPage 10 of 13\n\noperations. \r\nFigure\r\n15 - Threat actor “$$$” liked a thread by “HuanEbashes” advertising brute-force VPN access tools.\r\nInteractions between “$$$” and “HuanEbashes” reveal several calculated motivations for GLOBAL GROUP: \r\n1. Broaden initial access options. \r\nGLOBAL GROUP does not want to rely solely on initial access brokers (IABs). A brute-force tool lets\r\nattackers harvest valid VPN credentials or session tokens directly. Successfully compromising a VPN gateway\r\ngrants stealthy entry, often without any host-level antivirus or endpoint-detection alert. \r\n1. Increase the speed of ransomware operations. \r\nAttackers can move laterally into the network once they obtain valid VPN. They can then deploy ready-to-run\r\nransomware kits to increase the impact. \r\nTargeting high-privilege, externally exposed access points such as VPN gateways gives adversaries an ability to evade\r\nendpoint defenses and host-based monitoring, handing them legitimate credentials or session tokens that appear\r\nbenign to most security controls; once inside, the attackers inherit the trust and permissions of real users that often\r\ncome with a default broad network reach, allowing them to move laterally, disable safeguards, and detonate\r\nransomware payloads with minimal friction and maximum speed, turning what is normally a multistage intrusion into\r\na repeatable business process. \r\nLeveraging Initial Access Brokers (IAB) to gain foothold in edge network devices and\r\naccelerate ransomware operations \r\nThe creation of GLOBAL GROUP by Black Lock’s administrator is a deliberate strategy to modernize operations,\r\nexpand revenue streams, and stay competitive in the ransomware market. This new brand integrates AI-powered\r\nnegotiation, mobile-friendly panels, and customizable payload builders, appealing to a broader pool of affiliates.  \r\nhttps://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service\r\nPage 11 of 13\n\nGLOBAL GROUP further accelerates ransomware deployment by leveraging Initial Access Brokers (IABs), who\r\nsupply pre-compromised entry points into enterprise networks. This outsourcing of infiltration reduces time-to-compromise and enables affiliates to focus on payload delivery and extortion rather than network penetration.  \r\nGLOBAL GROUP supports payloads tailored for VMware ESXi environments, allowing affiliates to directly encrypt\r\nvirtualized infrastructure. By compromising hypervisors, attackers can lock down dozens—or even hundreds—of\r\nvirtual machines at once, multiplying the impact of a single intrusion and drastically increasing pressure on victims to\r\npay. \r\nSecurity teams must continuously monitor for IAB-linked access sales, harden internet-facing infrastructure—\r\nparticularly edge network appliances—and implement strict access segmentation and hypervisor hardening for ESXi\r\nhosts by disabling SSH, enabling lockdown mode, enforcing signed-only script execution via UEFI Secure Boot and\r\nTPM, and isolating management interfaces behind PAM-controlled jump servers with no direct internet exposure [8].  \r\nIntegrating real-time threat intelligence that detects both ransomware tooling and access brokerage is critical. As\r\nransomware-as-a-service models increasingly mimic the scalability and efficiency of SaaS platforms, defenders must\r\ntreat these actors not as isolated criminals but as organized, operationally mature adversaries. \r\nMITRE ATT\u0026CK Matrix \r\nFigure\r\n16 - MITRE ATT\u0026CK TTP Linked to Global Group.\r\nIOCs \r\nIP address of the GLOBAL GROUP DLS: \r\n193.19.119[.]4 \r\nGLOBAL ransomware samples: \r\nb5e811d7c104ce8dd2509f809a80932540a21ada0ee9e22ac61d080dc0bd237d \r\n232f86e26ced211630957baffcd36dd3bcd6a786f3d307127e1ea9a8b31c199f \r\n28f3de066878cb710fe5d44f7e11f65f25328beff953e00587ffeb5ac4b2faa8 \r\nhttps://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service\r\nPage 12 of 13\n\n1f6640102f6472523830d69630def669dc3433bbb1c0e6183458bd792d420f8e \r\n232f86e26ced211630957baffcd36dd3bcd6a786f3d307127e1ea9a8b31c199f \r\nGo based GLOBAL ransomware sample: \r\na8c28bd6f0f1fe6a9b880400853fc86e46d87b69565ef15d8ab757979cd2cc73 \r\nOnion sites: \r\nvg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id[.]onion \r\ngdbkvfe6g3whrzkdlbytksygk45zwgmnzh5i2xmqyo3mrpipysjagqyd[.]onion \r\nSocial media account: \r\nx[.]com/GlobalTeamLock \r\nYARA rule \r\nhttps://gist.github.com/whichbuffer/e9c298008395e5dc18fbc4f8180dec58\r\nReferences\r\n[1]  “Eldorado Ransomware: The New Golden Empire of Cybercrime? | Group-IB Blog,” Group-IB. Accessed: Jun.\r\n10, 2025. [Online]. Available: https://www.group-ib.com/blog/eldorado-ransomware/\r\n[2]  “Mamona Ransomware.” Accessed: Jun. 10, 2025. [Online]. Available:\r\nhttps://www.broadcom.com/support/security-center/protection-bulletin/mamona-ransomware\r\n[3]  “Blog - Global,” archive.ph. Accessed: Jun. 04, 2025. [Online]. Available: https://archive.ph/YQ5WK\r\n[4]  “VirusTotal - File - a8c28bd6f0f1fe6a9b880400853fc86e46d87b69565ef15d8ab757979cd2cc73.” Accessed: Jun.\r\n10, 2025. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/a8c28bd6f0f1fe6a9b880400853fc86e46d87b69565ef15d8ab757979cd2cc73/detection\r\n[5]  “BlackLock Ransomware: What You Need To Know | Tripwire.” Accessed: Jun. 10, 2025. [Online]. Available:\r\nhttps://www.tripwire.com/state-of-security/blacklock-ransomware-what-you-need-know\r\n[6]  T. H. News, “BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability,” The Hacker\r\nNews. Accessed: Jun. 10, 2025. [Online]. Available: https://thehackernews.com/2025/03/blacklock-ransomware-exposed-after.html\r\n[7]  “qTox: A New Kind of Instant Messaging.” Accessed: Jun. 11, 2025. [Online]. Available: https://qtox.github.io/\r\n[8]  Sygnia, “Understanding ESXi Ransomware: SSH Tunneling and Defense Strategies,” Sygnia. Accessed: Jun. 05,\r\n2025. [Online]. Available: https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/\r\nSource: https://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service\r\nhttps://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service"
	],
	"report_names": [
		"global-group-emerging-ransomware-as-a-service"
	],
	"threat_actors": [],
	"ts_created_at": 1775434646,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/36946615affd0ae9bdf0753f641e7d7142ecb996.pdf",
		"text": "https://archive.orkl.eu/36946615affd0ae9bdf0753f641e7d7142ecb996.txt",
		"img": "https://archive.orkl.eu/36946615affd0ae9bdf0753f641e7d7142ecb996.jpg"
	}
}