AI-Powered Chatbot Amplifies Coercion Tactics by Ransomware Gang Towards Afflicted Targets
In a troubling development, a new global ransomware group has emerged on the Russian Anonymous Market Place (RAMP) cybercrime forum in June 2025. Known as the Global Ransomware Group, this organisation has made a significant impact with its cross-platform capabilities and innovative tactics.
Cross-Platform Capabilities and Advanced Encryption
The Global Ransomware Group employs a unique cross-platform Golang-based payload for encryption speed across Windows, Linux, and macOS systems. This versatility allows the group to target a wide range of victims, expanding its reach. In addition, the group uses ChaCha20-Poly1305 encryption, a modern algorithm for both confidentiality and integrity, further complicating recovery efforts.
Dual-Portal Model and AI-Powered Chatbot
The Global Ransomware Group operates through a dual-portal model, directing victims to a Tor-based data leak site and a separate negotiation panel. This compartmentalised backend mirrors the approach of LockBit. The group also uses an AI-powered chatbot within the negotiation panel to automate victim communication and escalate ransom demands. This technology was integrated by the group itself, making it a pioneer in the field of AI-supported ransomware negotiation.
Single-Instance Execution and Operational Security Failures
The group uses a mutex string (Global\Fxo16jmdgujs437) for single-instance execution, similar to Mamona RIP. However, operational security failures have been observed, such as leaking backend SSH credentials and real IP addresses, like 193.19.119[.]4. These oversights provide valuable intelligence for security teams.
Double-Extortion Approach and Negotiation Panel Features
The Global Ransomware Group employs a double-extortion approach, using both data encryption and the threat of data publication to extort money from victims. The negotiation panel features prompts for uploading encrypted files for free decryption verification and secure communication. Correspondence on the panel takes place over a secure channel and includes a timer to reinforce urgency.
Ransomware Builder and Affiliate Structure
The Global Ransomware Group operates as a Ransomware-as-a-Service (RaaS) platform, with a customisable payload generator for affiliates. Affiliates have access to the negotiation panel to monitor negotiations, set ransom windows, and interact with victims directly. The use of goroutines for concurrent encryption and filename encryption hinders recovery efforts, further benefiting the group.
Demands and Impact
Demands made by the Global Ransomware Group via the AI chatbot can reach seven-figure sums in Bitcoin. The integration of AI technology in the negotiation process has reduced the workload for affiliates and enabled negotiations to proceed even in the absence of human operators. The impact of this new threat is significant, and security teams must stay vigilant to detect, mitigate, and respond to the Global Ransomware Group threat.
To detect and respond to this threat, security teams should monitor for multithreaded ChaCha20-Poly1305 encryption, custom file extensions, and encrypted filenames, among other strategies. By staying informed and prepared, organisations can protect themselves against the Global Ransomware Group and similar threats.
