Law enforcement has taken down the RAMP cybercrime forum, an open market that cybercrime groups utilize to sell their ransomware products, recruit others to help spread ransomware, and buy/sell access to victim networks. RAMP was one of only two forums that still allow ransomware to be advertised openly.
The FBI has taken complete control of the RAMP forum’s Tor service and it’s clear net domain (ramp4u[.]io) both are displaying a “seizure” banner which indicates that there is coordination between the FBI, U.S. Department of Justice and the Southern District of Florida to take down the site. The RAMP forum’s DNS records were updated with a reference to fbi.seized.gov to show that law enforcement now controls all the infrastructure associated with the site.
RAMP was created in 2021 after some large Russian language hacking forums began to ban ransomware advertising under pressure from western governments. It became the focal point of ransomware operations as it provided access for sale, exploit distribution, affiliate recruiting, and targeted services against victims in Ukraine, U.S., and Europe.
It appears that RAMP was operated by a threat actor known as Orange or as alias Wazawaka or BorisElcin and had ties to the Babuk ransomware group. Orange/Orange was later publicly identified as Mikhail Matveev, a Russian citizen who was charged by the U.S. Department of Justice in 2023 for his involvement in several ransomware campaigns. The U.S. Department of State has a $10 million bounty for information that leads to his arrest.
Law enforcement will likely gain access to all of the user data on RAMP including email addresses, IP logs, private messages, etc. This could expose many of the users of the site who did not practice proper operational security.
This is a significant blow to the ransomware ecosystem, however it also shows how quickly cybercrime communities can create new sites to replace ones that are being shut down. Organizations should continue to monitor the dark web, keep software patched, and use proactive threat detection to minimize their risk of experiencing a ransomware attack.
