Cyber threat intelligence firm EclecticIQ has spotted a new Ransomware-as-a-Service (RaaS) group, known as GLOBAL GROUP, promoted by a threat actor known online as “$$$.” The same threat actor previously operated the BlackLock and Mamona ransomware campaigns, indicating that GLOBAL GROUP is likely a rebranded version of BlackLock.
The rebranding appears to be an effort to rebuild trust within the cybercriminal ecosystem and expand the affiliate base, with an aggressive revenue-sharing model offering affiliates 80% of ransom proceeds. GLOBAL GROUP has already claimed responsibility for 17 victims across the US, UK, Australia, and Brazil, with healthcare organizations being the majority of their targets.
The threat actor runs a dedicated leak site (DLS) on the Tor network, which was linked to a Russia-based Virtual Private Server (VPS) provider, IpServer, the same hosting service previously used in Mamona operations.
Analysts uncovered the real-world IP address of the site through an operational security lapse involving an exposed API endpoint. The endpoint leaked victim data, including IP addresses and SSH usernames, pointing to a misconfigured system accessible over the internet.
GLOBAL GROUP relies on Initial Access Brokers (IABs) for network infiltration. The targets include vulnerable edge devices from Fortinet, Palo Alto, and Cisco. They also utilize brute-force tools against Microsoft Outlook and RDWeb portals to achieve privileged access and facilitate rapid deployment of ransomware, often bypassing endpoint detection systems.
Technical analysis reveals that GLOBAL GROUP ransomware is a modified version of Mamona, with new features for automated, domain-wide deployment via SMB and malicious Windows services. The ransom negotiation process is augmented by AI-driven chatbots, designed to pressure victims and assist non-English-speaking affiliates in demanding seven-figure payments.
