GLOBAL GROUP RaaS Expands with AI Tools Amid Rising Cyber Threats

GLOBAL GROUP Ransomware Operations

Image courtesy of The Hacker News

Cybersecurity researchers have identified a new ransomware-as-a-service (RaaS) operation known as GLOBAL GROUP, which emerged in June 2025. This group targets various sectors across Australia, Brazil, Europe, and the United States. The operation was promoted on the Ramp4u forum by the threat actor known as '$$$', who also controls the BlackLock RaaS and previously managed Mamona ransomware operations. It is believed that GLOBAL GROUP is a rebranding of BlackLock, following the latter's data leak site being defaced by the DragonForce ransomware cartel.

The group heavily relies on initial access brokers (IABs) to deploy ransomware by exploiting vulnerabilities in edge appliances from companies like Cisco, Fortinet, and Palo Alto Networks. They also utilize brute-force tools for Microsoft Outlook and RDWeb portals. The acquisition of Remote Desktop Protocol (RDP) or web shell access to corporate networks has allowed them to conduct lateral movement, siphon data, and deploy ransomware.

The RaaS platform features a negotiation portal and an affiliate panel that enables cybercriminals to manage victims, build ransomware payloads, and monitor operations with an enticing revenue-sharing model of 85%. The negotiation panel includes an automated system powered by AI-driven chatbots, allowing non-English-speaking affiliates to engage victims more effectively.

As of July 14, 2025, GLOBAL GROUP has claimed 17 victims across various industries, including healthcare, oil-and-gas equipment fabrication, industrial machinery, automotive repair, and large-scale business process outsourcing. The malware used in these operations is written in Go and has been observed to be an evolution of previous ransomware with added features for domain-wide installation.

For more details on the ransomware landscape, see the following resources: The Hacker News, EclecticIQ, and Optiv's Global Threat Intelligence Center.

Ransomware Negotiation and Tactics

The negotiation tactics employed by GLOBAL GROUP are notable for their sophistication. The group utilizes AI-driven chatbots in their negotiation panel to increase psychological pressure during ransom discussions, enabling them to demand higher amounts, including seven-figure ransoms. The unique mobile-friendly panels allow affiliates to manage negotiations on the go, further increasing their operational efficiency.

The RaaS platform not only supports traditional systems but also offers cross-platform builds for environments like VMware ESXi, NAS, BSD, and Windows OS. This flexibility allows affiliates to encrypt multiple systems simultaneously, amplifying the impact of each attack.

Additionally, the group’s use of IABs for initial access reduces the time required for infiltration, allowing affiliates to focus on payload delivery and extortion instead of network penetration. This operational strategy enhances the overall effectiveness of their attacks.

For further insights into ransomware negotiation strategies, you can check these resources: The Hacker News and CYFIRMA.

Threat Landscape and Data Insights

The emergence of GLOBAL GROUP coincides with a broader downturn in the total number of ransomware victims, which fell from 545 in May to 463 in June 2025, marking a 15% decline. However, this decline does not indicate a reduction in overall threat levels, as geopolitical tensions and high-profile cyber attacks continue to pose significant risks.

Data collected by Optiv’s Global Threat Intelligence Center indicates a 213% increase in ransomware victims listed on data leak sites in Q1 2025 compared to the previous year. This trend highlights the evolving nature of ransomware threats and the necessity for organizations to remain vigilant in their cybersecurity measures.

For more information on the current ransomware landscape, refer to: NCC Group, Optiv, and Halcyon.

Pay2Key.I2P Ransomware Operations

Image courtesy of The Record from Recorded Future News

The Iranian ransomware group Pay2Key.I2P has intensified its operations, particularly targeting entities in Israel and the U.S. The group claims to have collected over $4 million in ransom payments in the last four months, offering affiliates an 80% cut for attacks against Iran’s adversaries.

Pay2Key.I2P is believed to be a successor to the original Pay2Key operation, which has ties to Iran’s state-backed Fox Kitten hacking group. The group's recruitment efforts are focused on Russian-speaking hacker forums, aiming to bolster their ranks with affiliates willing to carry out attacks against perceived enemies of Iran.

This development underscores the increasing intersection of geopolitical tensions and cybercrime, as ransomware actors leverage these dynamics to enhance their operational capabilities and profit margins.

For further insights into the activities of Pay2Key.I2P, you can explore: Morphisec and The Record.

SafePay Ransomware Threat

SafePay has emerged as a significant player in the RaaS landscape since its inception in November 2024. The group utilizes aggressive double extortion tactics, encrypting systems while also exfiltrating sensitive data to increase leverage against victims.

The ransomware incorporates elements from leaked LockBit source code, showcasing a high level of technical maturity. SafePay's operations extend across various industries, including education, technology, healthcare, and manufacturing, primarily targeting mid-sized to large enterprises.

The group’s rapid growth and operational discipline suggest it may be run by experienced threat actors, further establishing its presence in the evolving ransomware ecosystem.

For additional information on SafePay, refer to: Halcyon.

Explore our services or contact us at Gopher Security to learn how we can assist you in enhancing your cybersecurity posture.