**RAMP Ransomware Forum Goes Dark in Probable FBI Sting**
One of the most significant players in the underground cyber criminal ecosystem has gone dark. The Russian-speaking RAMP (Russian Anonymous Marketplace) cyber crime forum, which boasted several thousand members and an estimated $250,000 in annual revenues, has been taken offline by what appears to be a major action by the US authorities.
Both RAMP's dark and public websites have been replaced with seizure notices stating that the action was taken under the auspices of the FBI, the US Attorney's Office for the Southern District of Florida, and the Department of Justice's (DoJ's) Computer Crime and Intellectual Property Section. While it's not uncommon for cyber criminals to fake takedowns as a form of theatrics or to start anew with a "clean" slate, initial reports suggest that the seizure is legitimate, with DNS records showing RAMP's web domains now pointing to FBI infrastructure.
The alleged operator of RAMP, known by the handle Stallman, has confirmed the forum's demise in a post on the XSS hacking forum. In a translated statement from Russian, Stallman wrote: "Although I hoped that this day would never come, deep down I always understood that it was possible. This is the risk we all take." The operator noted that the takedown had "destroyed years of my work" and that they had been aware of the potential for a sting operation.
RAMP, which emerged around 2021, operated as both a discussion forum and an underground marketplace. It offered ransomware kits, malware, and a library of guides and tutorials for newbies, all accessible only after meeting minimum activity levels and paying access fees. At its height, the forum was considered a "critical resource" for threat actors by analysts at Rapid7, who described it as a hub for ransomware vendors and affiliates.
According to Daniel Wilcock, a threat intelligence analyst at Talion, the takedown is a significant win for law enforcement. However, he notes that RAMP's denizens are likely to turn to alternative platforms, limiting the long-term impact on the wider criminal ecosystem.
"But all is not lost," Wilcock said. "While this doesn't signal the end of ransomware, law enforcement will be able to gain valuable information from the seizure around the threat actors using the services, such as their emails and IP addresses plus access to the financial transactions that took place on the market." He added that this could support further law enforcement action against the threat actors who used RAMP.
Yelisey Bohuslavskiy, a partner at threat intel specialist RedSense, provided more insight into RAMP's backstory and its ties to Russian security services. In a LinkedIn post, he revealed that RAMP was set up as part of a response to the rapid growth of ransomware-as-a-service (RaaS) in 2020 and 2021. This period saw the emergence of new affiliates and small-time cyber crooks, making it harder for the Russians to keep tabs on the scene.
Bohuslavskiy noted that RAMP's strategy had paid off in spades by incentivizing these new actors to make themselves visible to the authorities. However, he predicted that the takedown would be highly disruptive to the ransomware market in the short-term, as lower-level actors lose access and publicity, while access brokers and vendors of loaders and other hacking tools also see their cashflow disrupted.
For the remaining big name gangs, however, Bohuslavskiy said not much would change. He added that Russian security services will lose some visibility into ransomware processes and sellers. Predictably, he also forecasted that Stallman – whoever they may be – will likely be arrested soon as they are now a wasted asset.
The takedown of RAMP is just the latest development in a series of law enforcement actions targeting cyber crime forums and marketplaces. As analysts continue to monitor the situation, one thing remains clear: the cat-and-mouse game between threat actors and law enforcement is far from over.