{"id":1599,"date":"2025-07-27T17:52:17","date_gmt":"2025-07-27T17:52:17","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/07\/27\/ransomware-group-uses-ai-chatbot-to-intensify-pressure-on-victims\/"},"modified":"2025-07-27T17:52:17","modified_gmt":"2025-07-27T17:52:17","slug":"ransomware-group-uses-ai-chatbot-to-intensify-pressure-on-victims","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/07\/27\/ransomware-group-uses-ai-chatbot-to-intensify-pressure-on-victims\/","title":{"rendered":"Ransomware Group Uses AI Chatbot to Intensify Pressure on Victims"},"content":{"rendered":"
\n

A threat actor claiming to have launched a new ransomware-as-a-service (RaaS) venture is leveraging AI chatbots in its negotiation panel to automate communication and apply psychological pressure on victims.<\/p>\n

In June 2025, a ransomware actor known by the alias $$$ publicly introduced a new RaaS brand, GLOBAL GROUP, on the Russian Anonymous Market Place (RAMP or Ramp4u) cybercrime forum.<\/p>\n

Researchers at Picus Security promptly conducted a forensic investigation across malware samples, infrastructure configuration and control logic, which included analyzing leaked API metadata, reverse-engineered binary code and threat actor behavior.<\/p>\n

They concluded that GLOBAL GROUP had very few new features but instead included capabilities found in the Mamona RIP and Black Lock ransomware families.<\/p>\n

In a July 21 report, Picus Security assessed that GLOBAL GROUP was a rebranding of these two groups.<\/p>\n

\u201cAt every layer, payload, delivery, control, and operation, GLOBAL reveals continuity and maturity more than innovation,\u201d the researchers wrote.<\/p>\n

Negotiation Panel Equipped with an AI Chatbot <\/strong><\/h2>\n

However, one innovation the GLOBAL group has introduced is the use of an AI chatbot to kick off the negotiation process.<\/p>\n

The ransomware group offers a dual-portal model, directing victims to a Tor-based data leak site and a separate negotiation panel \u2013 a structure reminiscent of LockBit\u2019s compartmentalized backend, suggesting that GLOBAL employs a double-extortion approach.<\/p>\n

Once on the negotiation panel, the victim is greeted by an AI-powered chatbot designed to automate communication and apply psychological pressure.<\/p>\n

The panel is designed for non-technical users, featuring prompts to upload a sample encrypted file for free decryption verification. All correspondence takes place over a secure channel, with a timer displayed to reinforce the urgency.<\/p>\n

Chat transcripts reviewed by analysts show demands reaching seven-figure sums, such as BTC9.5 ($1m at the time the negotiation process occurred), with escalating threats of data publication.<\/p>\n

GLOBAL\u2019s affiliates have access to this panel in order to monitor negotiations, set ransom windows and even interact with victims directly via a mobile-friendly interface.\u00a0<\/p>\n

\u201cThe integration of AI chat automation reduces the affiliate workload and ensures negotiations proceed even in the absence of human operators, enabling GLOBAL to scale victim engagement across time zones, languages, and organizational profiles,\u201d the Picus Security researchers wrote.<\/p>\n

GLOBAL\u2019s Techniques, Tactics and Procedures <\/strong><\/h2>\n

The majority of GLOBAL\u2019s techniques, tactics, and procedures (TTPs) are borrow from Mamona RIP, Black Lock and Lockbit.<\/p>\n

The emerging ransomware group employs a cross-platform Golang-based payload, leveraging Go\u2019s static linking and concurrency features to maximize encryption speed across Windows, Linux and macOS systems. This aligns with modern ransomware trends, where attackers favor Go for its efficiency in large-scale encryption.<\/p>\n

A key tactic is the reuse of a mutex string (GlobalFxo16jmdgujs437) previously seen in Mamona RIP, suggesting code inheritance rather than simple repackaging. This mutex ensures single-instance execution, preventing multiple ransomware processes from running simultaneously.<\/p>\n

Additionally, the group uses ChaCha20-Poly1305 encryption, a modern algorithm that provides both confidentiality and integrity, similar to Black Lock and LockBit, which also favor strong encryption schemes to deter recovery efforts.<\/p>\n

The ransom note is hardcoded into the binary and written to disk as README.txt, containing coercive language and a proof-of-decryption mechanism to build trust. This mirrors Mamona RIP\u2019s approach, where psychological pressure is combined with technical validation.<\/p>\n

Notably, the group\u2019s frontend API exposure reveals operational security failures, such as leaking backend SSH credentials and real IP addresses (e.g., 193.19.119[.]4), tying them to Russian VPS provider IpServer, the same infrastructure linked to Mamona. This suggests a shared development lineage or at least overlapping operational practices between the two groups.<\/p>\n

The GLOBAL ransomware builder is a RaaS platform with a customizable payload generator, allowing affiliates to configure encryption percentages, file extensions and additional malicious behaviors (e.g., process killing, log deletion, and self-deletion).<\/p>\n

This modular approach, where features are dynamically included at compile time, helps evade detection, a tactic also seen in LockBit\u2019s builder.<\/p>\n

The ability to target ESXi, BSD and NAS appliances further expands its reach, similar to Black Lock\u2019s focus on hybrid environments.<\/p>\n

The use of goroutines for concurrent encryption and filename encryption to hinder recovery efforts is an additional refinements that enhance its effectiveness, borrowing elements from both Mamona RIP and LockBit in terms of execution efficiency and evasion techniques.<\/p>\n

Detection, Mitigation and Response Strategies Against GLOBAL<\/strong><\/h2>\n

In their report, the Picus Security researchers shared a comprehensive list of strategies and measures security teams can implement to detect, mitigate and respond to the GLOBAL ransomware threat. These include:<\/p>\n

    \n
  • Detecting multithreaded ChaCha20-Poly1305 encryption<\/strong> by monitoring abnormal CPU\/memory spikes and cryptographic API calls in Golang-based processes<\/li>\n
  • Identifying ransomware activity<\/strong> by tracking custom file extensions and encrypted filenames through file access monitoring and anomaly detection<\/li>\n
  • Monitoring for abuse of native utilities<\/strong> such as wevtutil, vssadmin, and net use, which attackers use for log tampering, shadow copy deletion and lateral movement<\/li>\n
  • Tracking unauthorized SSH access<\/strong> to cloud infrastructure, particularly from unusual geolocations or known malicious IPs linked to ransomware operations<\/li>\n
  • Detecting session hijacking and credential replay attacks<\/strong> by analyzing authentication anomalies in OWA (Outlook Web Access) and RDWeb (Remote Desktop Web Access)<\/li>\n
  • Conducting behavioral analysis<\/strong> to identify rare mutex strings (e.g. GlobalFxo16jmdgujs437), which may indicate single-instance ransomware execution<\/li>\n
  • Correlating lateral movement patterns<\/strong> originating from non-domain-joined endpoints, a common sign of initial access or privilege escalation<\/li>\n
  • Analyzing service-level telemetry<\/strong> for suspicious process chains (e.g., OpenProcess \u2192 TerminateProcess) and credential reuse across different protocols<\/li>\n
  • Simulating GLOBAL\u2019s attack techniques<\/strong> using breach and attack simulation (BAS) to validate detection and response capabilities<\/li>\n
  • Assessing security controls<\/strong> to ensure they block real-world attack behaviors, not just static indicators of compromise (IOCs)<\/li>\n
  • Identifying and remediating blind spots<\/strong> caused by misconfigured detection rules or gaps in telemetry coverage<\/li>\n
  • Applying vendor-specific mitigations<\/strong> (e.g., Microsoft Defender, CrowdStrike, SentinelOne) to address validated security gaps<\/li>\n
  • Restricting the execution of Golang binaries<\/strong> in high-risk environments and monitoring for unusual Go-based processes<\/li>\n
  • Enforcing least-privilege access controls<\/strong> to limit ransomware\u2019s ability to encrypt files or delete backups<\/li>\n
  • Disabling unnecessary native utilities<\/strong> (e.g., wevtutil, vssadmin) via Group Policy or application control policies<\/li>\n
  • Monitoring and blocking Tor-based command-and-control (C2) traffic<\/strong> and known ransomware leak site domains (e.g. .onion addresses)<\/li>\n
  • Implementing network segmentation<\/strong> to prevent lateral movement from compromised endpoints to critical assets<\/li>\n<\/ul><\/div>\n","protected":false},"excerpt":{"rendered":"

    A threat actor claiming to have launched a new ransomware-as-a-service (RaaS) venture is leveraging AI chatbots in its negotiation panel to automate communication and apply psychological pressure on victims. In June 2025, a ransomware actor known by the alias $$$ publicly introduced a new RaaS brand, GLOBAL GROUP, on the Russian Anonymous Market Place (RAMP<\/p>\n","protected":false},"author":2,"featured_media":1600,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1599","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1599-acbf96f7-9391-4661-a143-8032ac8502f1.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1599-acbf96f7-9391-4661-a143-8032ac8502f1-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1599-acbf96f7-9391-4661-a143-8032ac8502f1.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1599-acbf96f7-9391-4661-a143-8032ac8502f1.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1599-acbf96f7-9391-4661-a143-8032ac8502f1.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1599-acbf96f7-9391-4661-a143-8032ac8502f1.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1599-acbf96f7-9391-4661-a143-8032ac8502f1.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1599-acbf96f7-9391-4661-a143-8032ac8502f1.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1599-acbf96f7-9391-4661-a143-8032ac8502f1.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1599-acbf96f7-9391-4661-a143-8032ac8502f1.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1599-acbf96f7-9391-4661-a143-8032ac8502f1-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1599","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=1599"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1599\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/1600"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=1599"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=1599"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=1599"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}