Ransomware Group Uses AI Chatbot to Intensify Pressure on Victims – Source: www.infosecurity-magazine.com

A threat actor claiming to have launched a new ransomware-as-a-service (RaaS) venture is leveraging AI chatbots in its negotiation panel to automate communication and apply psychological pressure on victims.

In June 2025, a ransomware actor known by the alias $$$ publicly introduced a new RaaS brand, GLOBAL GROUP, on the Russian Anonymous Market Place (RAMP or Ramp4u) cybercrime forum.

Researchers at Picus Security promptly conducted a forensic investigation across malware samples, infrastructure configuration and control logic, which included analyzing leaked API metadata, reverse-engineered binary code and threat actor behavior.

They concluded that GLOBAL GROUP had very few new features but instead included capabilities found in the Mamona RIP and Black Lock ransomware families.

In a July 21 report, Picus Security assessed that GLOBAL GROUP was a rebranding of these two groups.

“At every layer, payload, delivery, control, and operation, GLOBAL reveals continuity and maturity more than innovation,” the researchers wrote.

Negotiation Panel Equipped with an AI Chatbot

However, one innovation the GLOBAL group has introduced is the use of an AI chatbot to kick off the negotiation process.

The ransomware group offers a dual-portal model, directing victims to a Tor-based data leak site and a separate negotiation panel – a structure reminiscent of LockBit’s compartmentalized backend, suggesting that GLOBAL employs a double-extortion approach.

Once on the negotiation panel, the victim is greeted by an AI-powered chatbot designed to automate communication and apply psychological pressure.

The panel is designed for non-technical users, featuring prompts to upload a sample encrypted file for free decryption verification. All correspondence takes place over a secure channel, with a timer displayed to reinforce the urgency.

Chat transcripts reviewed by analysts show demands reaching seven-figure sums, such as BTC9.5 ($1m at the time the negotiation process occurred), with escalating threats of data publication.

GLOBAL’s affiliates have access to this panel in order to monitor negotiations, set ransom windows and even interact with victims directly via a mobile-friendly interface. 

“The integration of AI chat automation reduces the affiliate workload and ensures negotiations proceed even in the absence of human operators, enabling GLOBAL to scale victim engagement across time zones, languages, and organizational profiles,” the Picus Security researchers wrote.

GLOBAL’s Techniques, Tactics and Procedures

The majority of GLOBAL’s techniques, tactics, and procedures (TTPs) are borrow from Mamona RIP, Black Lock and Lockbit.

The emerging ransomware group employs a cross-platform Golang-based payload, leveraging Go’s static linking and concurrency features to maximize encryption speed across Windows, Linux and macOS systems. This aligns with modern ransomware trends, where attackers favor Go for its efficiency in large-scale encryption.

A key tactic is the reuse of a mutex string (GlobalFxo16jmdgujs437) previously seen in Mamona RIP, suggesting code inheritance rather than simple repackaging. This mutex ensures single-instance execution, preventing multiple ransomware processes from running simultaneously.

Additionally, the group uses ChaCha20-Poly1305 encryption, a modern algorithm that provides both confidentiality and integrity, similar to Black Lock and LockBit, which also favor strong encryption schemes to deter recovery efforts.

The ransom note is hardcoded into the binary and written to disk as README.txt, containing coercive language and a proof-of-decryption mechanism to build trust. This mirrors Mamona RIP’s approach, where psychological pressure is combined with technical validation.

Notably, the group’s frontend API exposure reveals operational security failures, such as leaking backend SSH credentials and real IP addresses (e.g., 193.19.119[.]4), tying them to Russian VPS provider IpServer, the same infrastructure linked to Mamona. This suggests a shared development lineage or at least overlapping operational practices between the two groups.

The GLOBAL ransomware builder is a RaaS platform with a customizable payload generator, allowing affiliates to configure encryption percentages, file extensions and additional malicious behaviors (e.g., process killing, log deletion, and self-deletion).

This modular approach, where features are dynamically included at compile time, helps evade detection, a tactic also seen in LockBit’s builder.

The ability to target ESXi, BSD and NAS appliances further expands its reach, similar to Black Lock’s focus on hybrid environments.

The use of goroutines for concurrent encryption and filename encryption to hinder recovery efforts is an additional refinements that enhance its effectiveness, borrowing elements from both Mamona RIP and LockBit in terms of execution efficiency and evasion techniques.

Detection, Mitigation and Response Strategies Against GLOBAL

In their report, the Picus Security researchers shared a comprehensive list of strategies and measures security teams can implement to detect, mitigate and respond to the GLOBAL ransomware threat. These include:

• Detecting multithreaded ChaCha20-Poly1305 encryption by monitoring abnormal CPU/memory spikes and cryptographic API calls in Golang-based processes
• Identifying ransomware activity by tracking custom file extensions and encrypted filenames through file access monitoring and anomaly detection
• Monitoring for abuse of native utilities such as wevtutil, vssadmin, and net use, which attackers use for log tampering, shadow copy deletion and lateral movement
• Tracking unauthorized SSH access to cloud infrastructure, particularly from unusual geolocations or known malicious IPs linked to ransomware operations
• Detecting session hijacking and credential replay attacks by analyzing authentication anomalies in OWA (Outlook Web Access) and RDWeb (Remote Desktop Web Access)
• Conducting behavioral analysis to identify rare mutex strings (e.g. GlobalFxo16jmdgujs437), which may indicate single-instance ransomware execution
• Correlating lateral movement patterns originating from non-domain-joined endpoints, a common sign of initial access or privilege escalation
• Analyzing service-level telemetry for suspicious process chains (e.g., OpenProcess → TerminateProcess) and credential reuse across different protocols
• Simulating GLOBAL’s attack techniques using breach and attack simulation (BAS) to validate detection and response capabilities
• Assessing security controls to ensure they block real-world attack behaviors, not just static indicators of compromise (IOCs)
• Identifying and remediating blind spots caused by misconfigured detection rules or gaps in telemetry coverage
• Applying vendor-specific mitigations (e.g., Microsoft Defender, CrowdStrike, SentinelOne) to address validated security gaps
• Restricting the execution of Golang binaries in high-risk environments and monitoring for unusual Go-based processes
• Enforcing least-privilege access controls to limit ransomware’s ability to encrypt files or delete backups
• Disabling unnecessary native utilities (e.g., wevtutil, vssadmin) via Group Policy or application control policies
• Monitoring and blocking Tor-based command-and-control (C2) traffic and known ransomware leak site domains (e.g. .onion addresses)
• Implementing network segmentation to prevent lateral movement from compromised endpoints to critical assets