FBI takes notorious RAMP ransomware forum offline

The FBI has seized control of RAMP, a notorious cybercrime online forum that bragged to be "the only place ransomware allowed."

Both the forum's presence on the dark web and on its regular website domain now display a notice from the FBI announced that it has been taken over by the law enforcement agency.

According to the message posted on the seized websites, it was seized by the FBI in collaboration with the US Attorney’s Office for the Southern District of Florida and the US Justice Department’s Computer Crime and Intellectual Property Section (CCIPS).

The seizure banner comes complete with a cheeky addition - a winking Masha from the popular Russian children's TV cartoon series "Masha and the Bear."

Sure enough, RAMP's nameservers now point to ns1.fbi.seized.gov and ns2.fbi.seized.gov, confirming they have been seized by US law enforcement.

RAMP - the Russian Anonymous MarketPlace - first emerged in mid-2021. It quickly became popular, filling a void in the cybercriminal ecosystem, after other major Russian-language hacking forums banned ransomware-related content following pressure in the aftermath of the Colonial Pipeline attack by the DarkSide gang.

RAMP served as a marketplace where ransomware operators could recruit affiliates, where initial access brokers could sell credentials for compromised business networks, and where cybercriminals could trade their stolen data and tools.

Many infamous ransomware groups, such as ALPHV/BlackCat, Qilin, DragonForce, and RansomHub would use the RAMP platform to promote their operations.

The site was certainly popular, boasting in excess of 14,000 users even though it requested evidence of two months' activity on other hacking forums or a US $500 fee to join.

Things started to go badly wrong for RAMP, however, when one of the individuals behind the forum was named as Russian national Mikhail Matveev (also known as "Orange", "Wazawaka", and "BorisElcin." Matveev was listed on the FBI's most wanted list, and was subsequently (and unusually) arrested in Russia in 2024.

Following the seizure of RAMP, another of the forum's alleged operators, confirmed the takedown in a posting on another hacking forum.

"This event destroyed years of my work to create the most free forum in the world, and although I hoped this day would never come, deep down I always understood that it was possible," wrote "Stallman". "This is the risk we all take."

As Flare reports, "Stallman" has indicated that the cybercriminal activity conducted through RAMP would continue through other channels.

A seizure like this is not going to eliminate ransomware overnight, but it does represent a meaningful disruption of cybercriminal infrastructure, as hackers will be forced to migrate their activities, and will be presented with new challenges related to their operational security and who they can trust.

After all, the seizure of RAMP suggests that the authorities now have access to the site's user data - which is likely to include email and IP addresses, private messages, and more, which could lead to arrests in the coming months.