- A new Ransomware-as-a-service (RaaS) operation called GLOBAL GROUP has been identified, targeting organizations across Australia, Brazil, Europe, and the United States since June 2025.
- The operation is reportedly a rebrand of the previous BlackLock and Mamona ransomware programs and relies heavily on initial access brokers for system infiltration.
- GLOBAL GROUP uses tools against software from companies such as Cisco, Fortinet, and Palo Alto Networks to deploy its ransomware and exploits weaknesses in email and remote desktop portals.
- The service offers affiliates advanced features like an AI-powered negotiation panel, a mobile-friendly dashboard, and customizable ransomware payloads, with affiliates promised 85% of ransom payments.
- June 2025 saw a 15% drop in total ransomware victims globally, but experts warn ongoing risks remain high due to rising geopolitical tensions and increased activity by groups like Qilin and DragonForce.
A new ransomware-as-a-service platform called GLOBAL GROUP has started targeting a range of industries in Australia, Brazil, Europe, and the United States since early June 2025. According to researchers at EclecticIQ, the group promotes its services on Hacking forums and has been linked to the same operator behind earlier BlackLock and Mamona ransomware activities.
Investigators report that GLOBAL GROUP emerged after BlackLock’s data leak site was attacked by the DragonForce cartel earlier this year. Evidence suggests the ransomware operation is financially motivated, using pre-compromised access points to corporate networks via third-party brokers. Attackers focus on vulnerable software made by Cisco, Fortinet, and Palo Alto Networks, as well as brute-force attacks on Microsoft Outlook and remote desktop portals.
The affiliate program offers cybercriminals tools to build ransomware payloads for various operating systems, including VMware ESXi, NAS, BSD, and Windows. A negotiation panel, supported by AI-powered chatbots, assists in communicating with victims—particularly benefiting non-English speakers. The revenue-sharing model gives affiliates 85% of ransom proceeds.
As of July 14, 2025, GLOBAL GROUP claims to have attacked 17 organizations in sectors such as healthcare, industrial manufacturing, automotive repair, and business process outsourcing. Researchers note strong ties to previous ransomware operations, including BlackLock and Mamona, due to shared infrastructure and programming similarities. The Malware is written in Go programming language for better cross-platform attacks.
Other ransomware groups remain active, with Qilin leading RaaS activity in June 2025 with 81 attacks. DragonForce spiked its attacks by over 200%, while groups like Akira, Play, and SafePay also remained significant in the threat landscape. The overall number of ransomware victims dropped from 545 in May to 463 in June 2025.
According to Optiv, ransomware operators continue to depend on traditional methods for initial access, such as social engineering, exploiting software vulnerabilities, and using compromised credentials. Despite a recent decrease in total cases, experts from NCC Group and others warn continued instability and high-profile attacks are likely to sustain the risk from ransomware threats worldwide.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
