In a significant development for the cybersecurity landscape, authorities have successfully executed a seizure operation against RAMP, also known as the Russian Anonymous Marketplace. Earlier today, the U.S. Attorney’s Office for the Southern District of Florida, in collaboration with the Computer Crime and Intellectual Property Section of the Department of Justice, dismantled both the clear net and .onion sites associated with RAMP.
Since its inception in 2021, RAMP has emerged as a critical hub for Russian-speaking ransomware operators, brokers, and affiliates. The forum filled a vital niche following the bans of ransomware-related advertisements on established platforms like XSS[.]is and Exploit[in]. These bans were a direct response to the increasing scrutiny from law enforcement regarding notorious groups such as REvil and DarkSide, which had begun to attract significant attention from authorities.
With its rapid rise, RAMP became the primary forum for several active ransomware gangs, establishing itself as a go-to marketplace for malicious transactions. Sources like SOC Radar have detailed the platform’s evolution, while Bleeping Computer provides further context on the history and significance of this forum.
A WHOIS lookup of ramp4u[.io], RAMP’s clearnet address, indicates that the domain was last updated on January 28, and its nameservers have now shifted to the FBI’s known servers, ns1.fbi.seized.gov and ns2.fbi.seized.gov. The seizure is emblematic of a growing trend where authorities mock the platform through splash page notices that reference its provocative motto: “The only place ransomware allowed!”
In an aftermath post on XSS, a user identified as “Stallman,” widely believed to be the administrator of RAMP, conveyed his disappointment over the seizure. His message, which has been translated into English, indicates an acknowledgment of the law enforcement action that has effectively dismantled a community built over years.
“I regret to inform you that law enforcement has seized control of the Ramp forum. This event has destroyed years of my work building the freest forum in the world…”
While Stallman stated he would not be developing a new forum, he mentioned his continued involvement in purchasing access to the environment RAMP had fostered. For new members, the entry fee had initially been set at $500, which raises questions about the future of similar forums given this recent disruption.
This seizure is a critical action aimed at countering the ongoing threat posed by ransomware, with RAMP having become a prominent player in that ecosystem. Potential adversary tactics that could have been associated with RAMP’s operations include initial access through phishing campaigns, persistence mechanisms to maintain footholds in compromised networks, and data exfiltration techniques to leverage stolen information for financial gain. These tactics align with the MITRE ATT&CK framework, highlighting the sophistication and systemic approach often employed in ransomware operations.
At this time, the Department of Justice has not issued an official press release regarding the takedown, nor have they responded to inquiries for further clarification on the seizure operation.
