GLOBAL GROUP: Emerging Ransomware-as-a-Service, Supporting AI Driven Negotiation and Mobile Control Panel for Their Affiliates

EclecticIQ observed a new Ransomware-as-a-Service operation named GLOBAL GROUP, promoted on the Ramp4u forum by actor “$$$” and likely rebranded from Black Lock/Mamona; the group has claimed multiple victims across healthcare, manufacturing, and services and operates a Tor-based data leak site whose real IP was exposed. Analysts link GLOBAL GROUP to shared infrastructure and malware artifacts (including a Go-based ChaCha20-Poly1305 sample and a shared mutex), note active use of Initial Access Brokers and VPN brute-force tools targeting Fortinet/Palo Alto/Cisco and Microsoft web portals, and describe an affiliate-focused RaaS platform offering ESXi- and cross-platform payloads, AI-driven negotiation, and high revenue shares aimed at scaling high-value ransom operations.