Full Report
Executive summary On June 2, 2025, EclecticIQ analysts observed the emergence of GLOBAL GROUP, a new Ransomware-as-a-Service (RaaS) brand promoted on the Ramp4u forum by the threat actor known as “$$$”. The same actor controls the Black Lock RaaS [1] and previously managed Mamona [2] ransomware operations. GLOBAL GROUP targets a wide range of sectors across the United States and Europe. EclecticIQ assesses with medium confidence that GLOBAL GROUP was likely established as a rebranding of the BlackLock RaaS operation. This rebranding aims to rebuild trust and expand the affiliate network by giving 80% of extorted ransom money to affiliates.
Analysis Summary
# Threat Actor: GLOBAL GROUP (RaaS)
## Attribution & Identity
**Primary Operator Alias:** `$$$`
**Known Associations/Previous Operations:** Controls Black Lock RaaS and previously managed Mamona ransomware operations.
**Assessment Confidence:** Medium confidence that GLOBAL GROUP is a rebranding of the BlackLock RaaS operation. High confidence links the operator `$$$` to the defunct Mamona RIP ransomware operation.
**Language Indicators:** The actor accidentally misspelled the group name as "GLOBALY," suggesting they are likely not a native English speaker.
## Activity Summary
GLOBAL GROUP emerged as a new Ransomware-as-a-Service (RaaS) brand, first observed on June 2, 2025, promoted on the Ramp4u forum by the actor `$$$`.
The official RaaS offering was announced on June 26, 2025.
**Motivation/Objective:** Rebuild trust and expand the affiliate network. They offer affiliates a favorable 80% share of extorted ransom money. The ultimate objective is financial gain through ransomware attacks, supported by seven-figure ransom demands.
**Operational Tempo:** The group rapidly deployed, claiming responsibility for nine victims within the first five days (June 2–7, 2025) and escalating to 17 victims by July 14, 2025.
## Tactics, Techniques & Procedures
- **Initial Access:** Heavily relies on Initial Access Brokers (IABs) to gain access to vulnerable edge appliances.
- **Exploitation:** Targets Fortinet, Palo Alto, and Cisco devices.
- **Credential Compromise:** Utilizes brute-force tools against Microsoft Outlook portals and Remote Desktop Web Access (RDWeb) portals to achieve high-privilege initial access.
- **Evasion:** The methods used reportedly enable rapid ransomware deployment, often bypassing traditional EDR solutions.
- **Negotiation:** Employs an AI-driven chatbot system within their negotiation panel to handle non-English-speaking affiliates engaging victims, increasing psychological pressure.
- **Infrastructure OPSEC Failure:** An exposed API endpoint (`/posts`) on their Tor leak site accidentally revealed the hosting environment, linking them to previous infrastructure.
## Targeting
**Sectors:** Wide range, including:
* Healthcare providers
* Oil-and-gas equipment fabrication
* Industrial machinery and precision engineering
* Automotive repair and accident-recovery services
* Large-scale business-process outsourcing and facilities-management services
**Geography:** Targets organizations across the United States and Europe, with confirmed victims in:
* United States (including Texas)
* Europe (United Kingdom, Brazil)
* Australia
**Victims:** Specific victims listed include healthcare providers in the US and Australia, an automotive services firm in the UK, and an oil-and-gas fabrication company in Texas.
## Tools & Infrastructure
- **Ransomware Brand:** GLOBAL GROUP (RaaS).
- **Previous Malware:** Black Lock RaaS, Mamona ransomware.
- **Leak Site (DLS):** Hosted on the Tor network. Onion address: `vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id[.]onion`
- **Infrastructure:** Utilizes a Russia-based Virtual Private Server (VPS) provider named IpServer, also used by Mamona RIP.
- Exposed IPs linked to infrastructure (revealed via OPSEC failure): `185.158.113[.]114` (Mamona era), `193.19.119[.]4` (GLOBAL GROUP era, port 3304).
- **Unique Capability:** Mobile control panel for affiliates.
## Implications
The rebranding from BlackLock (or a previous iteration) suggests a concerted effort to shed a negative reputation and attract more affiliates, potentially increasing the volume and diversity of attacks. The integration of AI negotiation tools demonstrates a technical sophistication aimed at maximizing ransom yield and overcoming language barriers during high-stakes financial discussions. Shared infrastructure with Mamona provides high confidence in attribution to the known operator `$$$`.
## Mitigations
- Harden edge appliances (Fortinet, Palo Alto, Cisco) against exploitation.
- Implement strong authentication and monitoring to detect and prevent brute-force attacks targeting Outlook and RDWeb portals.
- Deploy advanced EDR solutions capable of detecting post-exploitation lateral movement, particularly given the group's attempts to bypass standard protection.
- Monitor underground forums (like Ramp4u) for discussions related to RaaS recruitment, affiliate programs, and threat actor aliases like `$$$`.