The Russian-speaking RAMP cyber crime forum – one of the most significant players in the underground cyber criminal ecosystem – has gone dark following what appears to be major action by the US authorities.
Although at the time of writing, no official announcement has been made by the Americans, within the past 24 hours both RAMP’s dark and public web sites have been replaced with seizure notices stating the action was taken under the auspices of the FBI, the US Attorney’s Office for the Southern District of Florida, and the Department of Justice’s (DoJ’s) Computer Crime and Intellectual Property Section.
It is not unheard of for cyber criminals to fake takedowns, often amid juvenile theatrics, to start over with a ‘clean’ slate, but initial reports appear to verify the authenticity of the takedown, with DNS records showing RAMP’s web domains now point to FBI infrastructure.
The alleged operator of RAMP, a hacker going by the handle Stallman, who according to Recorded Future took over its operations about four years ago, also stated the forum was no more.
In a post on the XSS hacking forum, translated from the original Russian, Stallman said the takedown had “destroyed years of my work”.
“Although I hoped that this day would never come, deep down I always understood that it was possible. This is the risk we all take,” they wrote.
Set up around 2021, RAMP operated as both a discussion forum and an underground marketplace, with ransomware kits, malware, alongside a library of ransomware guides and tutorials for newbies.
Access to the forum was tightly restricted, with minimum activity levels required and access and registration fees payable, but at its height it still boasted several thousand members, according to a summer 2024 analysis by Rapid7, which described the RAMP community as a “critical resource” for threat actors. At the time, it supposedly had revenues of about $250,000.
Limited long-term impact
Daniel Wilcock, threat intelligence analyst at Talion, described the takedown as a big win for the good guys. However, he said, RAMP’s denizens are likely to turn to alternatives, so the long-term impact on the wider criminal ecosystem will be limited.
“But all is not lost,” he said. “While this doesn’t signal the end of ransomware, law enforcement will be able to gain valuable information from the seizure around the threat actors using the services, such as their emails and IP addresses plus access to the financial transactions that took place on the market.
“This could support further law enforcement action against the threat actors that used the site, but given that RAMP was heavily used by Russian criminals it’s highly unlikely we will see many actual arrests.”
A blow to Russian intel?
Writing on LinkedIn, Yelisey Bohuslavskiy, a partner at threat intel specialist RedSense, laid out more of RAMP’s backstory and some of the more nuanced lore surrounding the forum.
He said it was an open secret that RAMP had close ties to individuals closely affiliated with the Russian security services and was set up as part of a response to the rapid growth of the ransomware-as-a-service (RaaS) model in 2020 and 2021.
This was a period during which rapid diversification and the emergence of new ransomware affiliates made it harder for the Russians to keep tabs on what was going on, compared to in the years immediately prior when the scene was dominated by organised big name gangs like Conti, ReVIL and so on.
Bohuslavskiy said this strategy had paid off in spades because RAMP incentivised these new affiliates and small-time cyber crooks to make themselves visible to the authorities.
He said that in the short-term, the takedown would indeed prove highly disruptive to the ransomware market as lower-level actors would lose both access and publicity, while the access brokers and vendors of loaders and other hacking tools who also frequent RAMP would also see their cashflow disrupted. For the remaining big name gangs, however, not much would change.
But, added Bohuslavskiy: “Russian security services… will lose some visibility into ransomware processes and sellers.”
He also predicted that Stallman – whoever they may be – will probably be arrested soon as they are now a wasted asset.