In a concerning evolution of ransomware tactics, a newly rebranded ransomware-as-a-service (RaaS) operation known as GLOBAL GROUP is now integrating AI-powered chatbots into its extortion strategy to streamline negotiations and increase pressure on victims.

Emerging in June 2025, GLOBAL GROUP—introduced by a threat actor known as “$$$” on the Russian Anonymous Marketplace (RAMP)—appears to be a rebranding of earlier ransomware families Mamona RIP and Black Lock. A technical analysis by Picus Security reveals that while GLOBAL GROUP doesn’t introduce many novel features, it shows continuity in payload delivery, control logic, and attack structure from its predecessors.

AI-Powered Extortion

What sets GLOBAL GROUP apart is its use of artificial intelligence. Victims directed to its negotiation portal are greeted by a chatbot that manages the initial phase of communication. The system is crafted to pressure non-technical users into fast compliance by using urgency cues like countdown timers and sample decryption proofs. Ransom demands can reach into the millions, with threats of data publication if the victim does not respond.

This AI-driven interface allows affiliates to monitor and control negotiations with minimal effort, supporting operations across multiple time zones and languages—ultimately scaling the threat actor’s reach.

Shared Tactics, Advanced Capabilities

GLOBAL GROUP’s ransomware payload is written in Go (Golang), enabling rapid, concurrent file encryption across Windows, macOS, and Linux systems. It employs the ChaCha20-Poly1305 encryption algorithm for both data confidentiality and integrity, while using a hardcoded ransom note mechanism similar to past Mamona RIP operations.

Interestingly, the group recycles technical components such as mutex strings for single-instance execution and shares backend infrastructure with earlier campaigns. For example, exposed SSH credentials and IP addresses tie GLOBAL GROUP to a Russian VPS provider also linked to Mamona RIP.

Modular Ransomware Platform

GLOBAL’s malware builder offers affiliates customizable options like file targeting, log wiping, and self-deletion. It can even target ESXi, BSD, and NAS devices—demonstrating adaptability to hybrid environments. This modular and stealthy design is comparable to LockBit’s model, making GLOBAL a formidable and evasive threat.

Security Recommendations

Picus Security’s report includes a set of mitigation and response strategies for organizations, emphasizing the importance of:

• Proactive threat hunting and behavior-based detection
• Network segmentation and privilege restrictions
• Regular backup and restoration testing
• Endpoint protection and patch management
• Monitoring for known indicators of compromise (IOCs)

As ransomware continues to evolve, security teams must remain vigilant. The use of AI by threat actors signals a new phase in cyber extortion, requiring organizations to strengthen their defenses against increasingly automated and scalable attacks.

Source: https://www.infosecurity-magazine.com/news/ransomware-ai-chatbot-pressure/