Ransomware Hackers Now Use AI Chatbots to Extort Victims
▼ Summary
– A ransomware group called GLOBAL GROUP, introduced in June 2025, leverages AI chatbots in its negotiation panel to automate victim communication and apply psychological pressure.
– Researchers found GLOBAL GROUP is a rebranding of the Mamona RIP and Black Lock ransomware families, with few new features but shared capabilities.
– The group uses a dual-portal model for data leaks and negotiations, featuring an AI chatbot to handle initial interactions and escalate ransom demands.
– GLOBAL employs techniques borrowed from Mamona RIP, Black Lock, and LockBit, including Golang-based payloads and ChaCha20-Poly1305 encryption for cross-platform attacks.
– Security teams can implement detection and mitigation strategies against GLOBAL, as outlined by Picus Security researchers in their report.
Cybercriminals are increasingly turning to AI-powered chatbots to streamline ransomware negotiations, applying psychological pressure on victims while scaling their attacks globally. A newly identified ransomware group, operating under the name GLOBAL GROUP, has integrated automated chat systems into its extortion process, marking a troubling evolution in digital extortion tactics.
First spotted on underground forums in mid-2025, this group has adopted a ransomware-as-a-service (RaaS) model, allowing affiliates to deploy attacks while the core team manages infrastructure. Security analysts at Picus Security traced its origins, uncovering strong ties to older ransomware strains like Mamona RIP and Black Lock, suggesting a rebrand rather than a completely new operation.
What sets GLOBAL apart is its AI-driven negotiation panel, designed to engage victims immediately after encryption. The system mimics human interaction, using timed responses and escalating threats to coerce payments. Victims accessing the Tor-based portal encounter a chatbot that demands proof-of-payment verification while displaying a countdown clock, a tactic meant to heighten urgency. Researchers observed ransom demands exceeding $1 million in Bitcoin, with threats to leak stolen data if deadlines pass.
The ransomware itself borrows heavily from known malware families, employing Golang-based payloads for cross-platform attacks. It uses ChaCha20-Poly1305 encryption, a robust algorithm that complicates decryption efforts. Like its predecessors, GLOBAL incorporates mutex strings to prevent multiple instances and hardcodes ransom notes into its binaries.
Despite its sophistication, operational security lapses have exposed the group’s infrastructure. Leaked SSH credentials and real IP addresses link GLOBAL to Russian hosting services previously associated with Mamona RIP. The group’s RaaS builder tool also mirrors LockBit’s modular design, letting affiliates customize encryption settings and target diverse systems, including ESXi servers and network-attached storage (NAS) devices.
To defend against such threats, experts recommend enhanced endpoint monitoring, network segmentation, and regular backups. Behavioral detection tools can identify ransomware patterns, while immutable backups ensure recovery options remain intact. Security teams should also scrutinize unusual API requests and monitor for signs of lateral movement in hybrid environments.
As ransomware groups refine their methods, the integration of AI chatbots signals a shift toward automation in cybercrime. Organizations must stay ahead by adopting proactive defense strategies and fostering rapid incident response capabilities to mitigate these evolving risks.
(Source: Info Security)
