Cybercrime 3.0: GLOBAL GROUP's AI-driven RaaS transforms the rules of ransomware

In just over a month since its debut, GLOBAL GROUP, a new ransomware-as-a-service (RaaS) operation, has drawn global attention not only for the volume of its attacks but also for its innovative approach to reengineering the ransomware business.

Dubbed “Cybercrime 3.0” by experts, GLOBAL GROUP uses artificial intelligence to fuel ransom negotiations, streamline payload creation, and lower barriers for non-technical affiliates. Its hybrid model, stitched together from older threats, marks a turning point in the evolution of AI-assisted cybercrime.

How does GLOBAL GROUP's AI reshape the global ransomware game?

The actor known as "$$$" first advertised GLOBAL GROUP on Ramp4u, a well-known cybercriminal forum, in June 2025. The same person reportedly operated the BlackLock and Mamona RaaS platforms, both precursors to this new effort.

Unlike its predecessors, GLOBAL GROUP introduces an AI-driven negotiation system that allows affiliates to communicate with victims automatically in multiple languages. The result is an unprecedented expansion in the scope and frequency of attacks.

Did you know?
GLOBAL GROUP reportedly offers affiliates an 85% revenue share, one of the highest in the ransomware market. Its AI-powered negotiation bots support multiple languages, drastically expanding its reach among non-English-speaking cybercriminals.

Could AI-powered RaaS mean the end of human-led cyber defense?

GLOBAL GROUP's model poses new challenges to cybersecurity professionals. Its platform allows affiliates to skip the reconnaissance and network penetration phase entirely by relying on initial access brokers. These brokers provide logins to vulnerable systems, including those from Microsoft, Cisco, and Fortinet.

Once inside a targeted environment, affiliates can use the platform’s dashboard to build specific payloads tailored for networks running VMware ESXi, NAS devices, BSD, or Windows. The payload builder also includes domain-wide installation functionality, significantly expanding attack efficiency.

ALSO READ | Billions of IoT Devices Exposed as Kigen eSIM Flaw Enables Cloning and Spying

Automation and multilingual bots reinvent ransomware attacks

Security analysts have confirmed that AI-enabled chatbots power the negotiation panel. These bots autonomously initiate and conduct communications with victim organizations, including managing payment timelines, offering discounts, and issuing threats, all without human involvement.

The AI tools also bridge language barriers, allowing cybercriminals with minimal English proficiency to participate in ransomware campaigns at scale for the first time. Researchers believe this feature alone could double the pool of potential attackers.

The GLOBAL GROUP model expands ransomware-as-a-service power

The GLOBAL GROUP model promises affiliates an 85% cut of ransom proceeds, a figure that surpasses that of most competing RaaS programs. An easy-to-navigate affiliate panel handles victim tracking, payload deployment, and revenue statistics. Additionally, the platform incorporates mobile support, enabling orchestration from any location worldwide.

So far, GLOBAL GROUP has claimed 17 victims across Australia, Brazil, Europe, and the U.S., focusing on a broad spectrum of industries from oil and gas equipment to healthcare and accident-recovery services. Each incident showcases increasingly refined tools and strategic execution.

GLOBAL GROUP’s malware, like its BlackLock predecessor, is coded in Go, a language favored for speed and cross-platform deployment. Significant portions of the codebase share DNA with previous campaign libraries, strongly suggesting this is not a new player but a dangerous upgrade.

As of July 2025, it remains unclear whether any affected organizations have paid the ransom demands. But analysts zero in on the bigger threat: GLOBAL GROUP’s fusion of AI, automation, and business-savvy platform design may become the blueprint for RaaS operations going forward.

The criminal innovation seen with GLOBAL GROUP indicates a fundamental shift in the ransomware economy. If governments and companies cannot keep pace with the rapid scaling and sophistication of AI-powered cybercrime, the next wave of hacks could happen too fast to stop.