FBI Shuts Down Major Ransomware Hub, RAMP Forum
▼ Summary
– The FBI has seized the RAMP cybercrime forum, a major platform that openly allowed the promotion of ransomware and other hacking services.
– The seizure banner taunts the forum’s operators and the FBI now likely has access to extensive user data, which could lead to identifications and arrests.
– The forum was launched in 2021 after other Russian-speaking forums banned ransomware promotion due to law enforcement pressure following the Colonial Pipeline attack.
– RAMP was created by a threat actor known as Orange (Mikhail Matveev), who repurposed infrastructure from the Babuk ransomware operation he previously administered.
– Mikhail Matveev was indicted by the U.S. in 2023 for his role in multiple ransomware operations and is on the FBI’s most-wanted list with a $10 million reward for information.
In a significant blow to the global cybercrime ecosystem, the FBI has seized control of the RAMP forum, a major online hub where ransomware operations were openly promoted and coordinated. The takedown removes a key marketplace for threat actors and grants law enforcement access to a trove of potentially incriminating user data, including private messages and IP addresses. Both the forum’s Tor hidden service and its clearnet domain now display an official seizure notice from the U.S. government.
The notice, which appears in place of the forum’s content, states the action was coordinated with the U.S. Attorney’s Office for the Southern District of Florida and the Department of Justice’s Computer Crime and Intellectual Property Section. In a pointed move, the seizure banner incorporates RAMP’s own slogan, “THE ONLY PLACE RANSOMWARE ALLOWED!” alongside a winking image of Masha from the Russian cartoon “Masha and the Bear.” The domain’s name servers have been switched to those controlled by the FBI, confirming the legitimacy of the seizure.
This transfer of control means investigators likely now possess extensive records from the forum. For users who practiced poor operational security, this data could lead directly to identification and subsequent arrest. The seizure was confirmed in a post on the XSS hacking forum by an individual using the alias “Stallman,” who claimed to be a former RAMP operator. The post lamented the loss of “years of my work building the freest forum in the world,” while acknowledging the inherent risks of such criminal enterprises.
The RAMP forum emerged in July 2021, created in direct response to established Russian-language hacking forums like Exploit and XSS banning the promotion of ransomware. This policy shift was largely a reaction to international law enforcement pressure following high-profile attacks like the Colonial Pipeline incident. RAMP quickly positioned itself as a sanctuary for ransomware activity, attracting multiple criminal gangs who used it to recruit affiliates, sell network access, and advertise their services.
The forum was founded by a threat actor known as Orange, who also operated under the monikers Wazawaka and BorisElcin. This individual was previously an administrator for the Babuk ransomware operation, which disbanded after an internal dispute over leaking data stolen from the Washington D.C. Metropolitan Police Department. Orange subsequently repurposed Babuk’s old Tor domain to launch RAMP. The forum faced immediate stability issues, including distributed denial-of-service attacks that Orange blamed on former Babuk associates, a claim those individuals denied.
The person behind these aliases was later identified by researchers as Mikhail Matveev, a Russian national. In interviews, Matveev admitted to creating RAMP using Babuk’s infrastructure but claimed the forum was unprofitable and plagued by attacks, leading him to abandon its management. By 2023, Matveev was indicted by the U.S. Department of Justice for his role in several ransomware families, including Babuk, LockBit, and Hive. He is currently on the FBI’s Cyber Most Wanted list, with a reward of up to $10 million offered for information leading to his capture. The shutdown of RAMP represents a critical disruption to the ransomware supply chain, though the persistent threat from the actors who used it remains.
(Source: Bleeping Computer)
