Cybersecurity researchers have shed light on a new ransomware (RAAS) operation, called a global group that targets a wide range of sectors in Australia, Brazil, Europe and the United States since its emergence in early June 2025.
Global Group has been promoted at the RAMP4U forum by a threat actor known as “$$$,” said Arda Büyükkaya, researcher at EclecticiQ. “The same actor controls BlackRock Raas and controls the previously managed Mamona Ransomware Operations.”
Global Group is believed to be a BlackRock rebrand after the latter data leak site was tainted by the Dragon Force ransomware cartel in March. It is worth mentioning that BlackRock itself is a brand of another RAAS scheme known as El Dorado.
The financially motivated group has been found to be leaning heavily towards the first access broker (IAB) to deploy ransomware by weaponizing access to vulnerable edge appliances from Cisco, Fortinet, and Palo Alto Networks. It also uses brute force utilities for Microsoft Outlook and the RDWeb portal.
$$$ gained Remote Desktop Protocol (RDP) or Web Shell access to corporate networks such as corporate networks associated with law firms as a way to deploy post-exposed tools, implement lateral movements, deploy siphon data, and deploy ransomware.
Outsourcing the intrusion stage to other threat actors provides pre-competitive entry points to the enterprise network, allowing them to spend more effort on payload delivery, fear and negotiation, rather than network penetration.
The RAAS platform comes with a negotiation portal and affiliate panel. The latter allows cybercriminals to manage their victims, build ransomware payloads for VMware ESXI, NAS, BSD, and Windows, and monitor operations. To seduce more affiliates, threat actors promise an 85% revenue sharing model.
“The Global Group’s ransom negotiation panel features an automated system with an AI-driven chatbot,” the Dutch security company said. “This will allow non-affiliates who speak English to engage victims more effectively.”
As of July 14, 2025, the RAAS Group claimed 17 casualties in Australia, Brazil, Europe and the United States, spanning healthcare, oil and gas equipment manufacturing, industrial machinery and precision engineering, auto repair, accident recovery services, and large-scale business process outscoring (BPO).
The link to BlackRock and Mamona is attributed to the similarity of the source code with Mamona using the same Russian VPS provider Ipserver. Specifically, Global Group is said to be an evolution of Mamona, with the ability to enable ransomware installation across domains. Furthermore, malware is written in GO, like BlackRock.
“Creating a global group with BlackRock administrators is a deliberate strategy to modernize the business, expand revenue streams and stay competitive in the ransomware market,” said Büyükkaya. “This new brand integrates AI-powered negotiations, mobile-friendly panels and customizable payload builders, making it appealing to a wider affiliate marketing.”
This disclosure comes when the Qilin ransomware group appeared in June 2025 as the most active RAAS operation, accounting for 81 casualties. Other major players include Akira (34), Play (30), Safepi (27), and Dragon Force (25).
“SafePay saw the sharpest decline at 62.5%, suggesting a major drawback,” said Cyfirma, a cybersecurity company. “The Dragon Force appeared quickly, and attacks increased by 212.5%.”
Overall, the total number of ransomware victims fell 15%, down from 545 in May to 463 in June 2025. February is the top of this year’s list with 956 casualties.
“Despite the decline in numbers, geopolitical tensions and high-profile cyberattacks could underline increased instability and increase the risk of cyber threats,” the NCC Group said later last month.
Data collected by Optiv’s Global Threat Intelligence Center (GTIC) shows that 314 ransomware victims were listed on 74 unique data leak sites in the first quarter of 2025, representing a 213% increase in the number of victims. A total of 56 variants were observed in the first quarter of 2024.
“Ransomware operators have continued to use proven methods to gain early access to victims, including social engineering/phishing, exploitation of software vulnerabilities, compromise on unexposed, secure software, supply chain attacks, and leveraging the early access broker (IAB) community.
Source link
