FBI Shuts Down Major Ransomware Hub: RAMP Forum

A major hub for ransomware activity on the dark web has been shut down by U.S. authorities. The Russian Anonymous Marketplace (RAMP), a notorious forum where cybercriminals openly discussed and traded ransomware tools, was seized by the FBI. Visitors to the site are now greeted with an official law enforcement banner declaring the seizure, a move confirmed by the redirection of the forum’s domains to servers controlled by the FBI and the Department of Justice. This action represents a significant blow to a central marketplace in the cybercrime ecosystem.

The takedown became apparent on January 28th when threat intelligence analysts noticed RAMP’s websites were offline. In their place was a banner from the U.S. Attorney’s Office for the Southern District of Florida and the DOJ’s Computer Crime and Intellectual Property Section. The notice features a taunting message, “The Only Place Ransomware Allowed!”, alongside an image of a winking Russian cartoon character named Masha. This directly mocks the forum’s reputation as the sole underground space where ransomware discussions were permitted after other major forums banned them.

RAMP emerged in its current form in 2021, operated by individuals linked to the defunct Babuk ransomware group. It filled a void left when other prominent Russian-language forums like XSS and Exploit, as well as the English-language BreachForums, prohibited ransomware talk. The forum became a primary venue for new and mid-level ransomware groups to promote their services, recruit affiliates, and trade in the tools of cybercrime. One of the key figures behind RAMP was Mikhail Matveev, a Russian national using aliases like Wazawaka, who was arrested in Russia in 2024.

At the time of the seizure, the forum’s administrator was an individual known as ‘Stallman’. Threat intelligence researcher Rebecca Taylor of Sophos noted that Stallman “played a central role in maintaining trust, enforcing rules and managing the platform’s technical operations.” According to experts, RAMP functioned as a high-trust environment and a central discussion hub for ransomware operators, intermediaries, and affiliates, supporting the entire attack chain from initial access to final extortion.

Intelligence firm co-founder Yelisey Bohuslavskiy provided context, suggesting RAMP was created by individuals with ties to Russian security services as a response to the uncontrollable sprawl of the Ransomware-as-a-Service (RaaS) model. He explained that while authorities previously had visibility into organized groups, the affiliate model of RaaS made oversight difficult. RAMP served as a solution, effectively becoming a directory where new groups would identify themselves by posting. This improved visibility for authorities into a wider range of criminal crews and attracted sellers of logs, loaders, and exploits.

The forum’s influence was substantial, hosting activity from many infamous ransomware groups over the years, including LockBit, ALPHV/BlackCat, Conti, and RansomHub. Its closure has sent ripples of concern through underground communities. Following the seizure, administrator Stallman publicly commented on the XSS forum, stating the takedown had “destroyed years of my work” and confirming there were no plans to rebuild the platform. Analysts report this has driven significant chatter, reflecting a heightened sense of uncertainty and a loss of confidence among cybercriminals following this decisive law enforcement action.

(Source: InfoSecurity Magazine)