Cybersecurity researchers have identified a new ransomware-as-a-service (RaaS) operation known as GLOBAL GROUP, which has rapidly expanded its targeting capabilities across multiple critical sectors. Since its emergence in June 2025, the group has launched attacks on organizations in Australia, Brazil, Europe, and the United States, posing a significant threat to global cybersecurity.
Origins and Rebranding Strategy
GLOBAL GROUP is believed to be a rebranded iteration of the now-defunct BlackLock RaaS, which itself evolved from a previous operation called Eldorado. The rebranding appears to have followed the compromise of BlackLock’s data leak site by rival cybercriminals, prompting the core actors behind these operations to adopt a new identity.
The group was first introduced on underground cybercrime forums by a user operating under the alias “$$$,” a threat actor with established connections to past RaaS activities. This continuity indicates a calculated effort by experienced operators to maintain their foothold in the ransomware market through successive rebranding.
Targeted Industries and Global Reach
Despite being a relatively recent entrant, GLOBAL GROUP has already claimed attacks on at least 17 victims across a broad spectrum of industries, including:
- Healthcare (Australia and United States)
- Oil and Gas Fabrication (Texas, U.S.)
- Automotive and Engineering (United Kingdom)
- Business Process Outsourcing and Facilities Management (Brazil)
The wide geographical distribution of these attacks suggests a coordinated, multinational campaign designed to exploit industries with high-value data and lower tolerance for downtime.
Tactical Capabilities and Toolset
GLOBAL GROUP employs a combination of traditional and advanced attack techniques to infiltrate networks and execute ransomware operations effectively. The group purchases unauthorized access credentials from initial access brokers, often targeting edge devices such as firewalls and VPN appliances from vendors like Cisco, Fortinet, and Palo Alto Networks.
The group utilizes automated brute-force tools to gain unauthorized access to Microsoft Outlook and RDWeb portals, facilitating lateral movement and privilege escalation within networks. In a notable development, GLOBAL GROUP has integrated AI-powered chatbots into its ransom negotiation process. These bots automate communication with victims and support multilingual responses, enhancing the group’s efficiency and increasing psychological pressure during ransomware negotiations.
Ransomware Distribution and Affiliate Model
As a RaaS platform, GLOBAL GROUP offers its malware and infrastructure to third-party affiliates. In return, affiliates receive a substantial share—up to 80%—of any ransom payments received. This high commission structure is intended to attract a wide pool of participants, accelerating the group’s operational growth.
Affiliates are also provided with access to GLOBAL GROUP’s dedicated data leak site (DLS) hosted on the Tor network. The DLS is used to publicly list victims and leak stolen data if ransom demands are not met, a tactic commonly used to coerce payment.
