AI-Driven Negotiation Feature for Emerging Ransomware-as-a-Service

Edward Zhou
Edward Zhou

CEO & Co-Founder

 
July 17, 2025 3 min read

GLOBAL GROUP Ransomware-as-a-Service Overview

A new Ransomware-as-a-Service (RaaS) operation named GLOBAL GROUP has emerged, leveraging advanced AI-driven negotiation tools to increase pressure on victims. Security researchers from EclecticIQ first identified the group in early June 2025 on the Ramp4u underground forum. The actor known as “$$$” announced a dedicated leak site and a fully operational RaaS platform.

GLOBAL GROUP RaaS Adds AI-Powered Negotiation Feature for Ransom Demands

Image courtesy of GLOBAL GROUP

Infrastructure and Operations

GLOBAL GROUP relies heavily on Initial Access Brokers (IABs) to gain footholds in high-value corporate networks. These brokers provide access via compromised VPN appliances, including Fortinet, Palo Alto, and Cisco, as well as webshells for SAP NetWeaver environments. The deployment of customized ransomware payloads is executed rapidly to maximize damage before defenses can respond.

The group's negotiation system employs AI chatbots that guide victims through a scripted extortion dialogue. This system includes multiple language options, allowing non-English-speaking affiliates to communicate effectively with their targets. The AI increases psychological pressure by threatening data leaks if victims hesitate.

On Ramp4u forum, threat actor “$$$” shared the DLS in an announcement of GLOBAL GROUP

Image courtesy of Ramp4u forum

Affiliate Model and Revenue Share

Affiliates of GLOBAL GROUP can expect a revenue share of 80 to 85 percent from ransom payments. This model is designed to attract experienced cybercriminals from competing RaaS operations. The affiliate dashboard enables users to create cross-platform payloads and automate domain-wide deployments using SMB and malicious Windows services.

The new platform offers an advanced Command and Control (C2) capability, allowing affiliates to customize their ransomware deployment extensively. The incorporation of AI negotiation tools signifies a significant advancement in the RaaS market, facilitating a competitive "service economy" for cybercrime.

85% revenue share percentage in GLOBAL RaaS

Image courtesy of GBHackers

Recent Activity and Targeted Sectors

Since its emergence, GLOBAL GROUP has claimed responsibility for multiple ransomware incidents across various sectors, predominantly targeting healthcare providers in the U.S. and Australia, as well as industrial firms in the U.K. and Brazil. Analysts have tracked victims’ data being exposed on its dedicated leak site, which is hosted on the Tor network.

According to EclecticIQ, some ransom demands have reached over one million U.S. dollars, with victims often given a tight deadline to respond. This highlights the group's strategy of targeting high-value ransoms and executing rapid extortion tactics.

Threat actor $$$ advertising Black Lock RaaS on Ramp4u

Image courtesy of GBHackers

AI-Driven Negotiation Features

The AI-driven negotiation interface allows for dynamic adjustments and increases pressure on victims. The chatbots can adapt their strategy based on the victim's responses, creating a more personalized experience that enhances the likelihood of payment. This represents a shift toward more sophisticated extortion methods in the cybercriminal landscape.

In addition to its negotiation capabilities, the GLOBAL GROUP platform provides a mobile control panel, enabling affiliates to manage their operations remotely.

Video advertisement on the data leak site

Image courtesy of GBHackers

Security Implications and Recommendations

The emergence of GLOBAL GROUP indicates a growing trend in RaaS operations utilizing AI and advanced negotiation tactics to optimize their extortion efforts. Organizations are advised to enhance their cybersecurity measures, including adopting a Zero-Trust architecture, implementing robust patch management, and ensuring frequent backups of sensitive data.

For ongoing updates on the evolving tactics of ransomware groups like GLOBAL GROUP, it is crucial for security teams to stay informed and adjust their defensive strategies accordingly.

Figure 12 – Negotiation panel; the threat actor demands 1 million US dollars for the decryption key

Image courtesy of EclecticIQ

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview
OpenSSL vulnerability

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview

Urgent: OpenSSL 3.x vulnerable to CVE-2025-15467, enabling pre-auth RCE. Learn affected versions, impact, and immediate mitigation steps. Protect your systems now!

By Divyansh Ingle March 10, 2026 4 min read
common.read_full_article
SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now
SolarWinds Web Help Desk

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

Critical RCE & Auth Bypass flaws in SolarWinds Web Help Desk are fixed! Don't risk it. Update to v2026.1 now to protect your systems. Learn more.

By Edward Zhou March 9, 2026 4 min read
common.read_full_article
AI vs Human Hackers: Who Prevails in 2026 Pen Testing?
AI hacking

AI vs Human Hackers: Who Prevails in 2026 Pen Testing?

Discover the results of a groundbreaking study comparing AI agents and human hackers in web vulnerability exploitation. See who prevails and what it means for your security. Read now!

By Jim Gagnard March 6, 2026 6 min read
common.read_full_article
Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends

Exploits are now the top intrusion method, outpacing phishing. Discover why rapid vulnerability patching is critical and how to bolster your defenses. Read more!

By Edward Zhou March 4, 2026 4 min read
common.read_full_article