The FBI has taken down RAMP, one of the last major forums openly advertising ransomware services, potentially exposing thousands of cybercriminals to law enforcement.
The FBI has seized the notorious RAMP cybercrime forum, a platform used to advertise a wide range of malware and hacking services, and one of the few remaining forums that openly allowed the promotion of ransomware operations. Both the forum's Tor site and its clearnet domain, ramp4u[.]io, now display a seizure notice stating, "The Federal Bureau of Investigation has seized RAMP."
This action has been taken in coordination with the United States Attorney's Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice," the notice reads.
The seizure banner also appears to taunt the forum's operators by displaying RAMP's own slogan: "THE ONLY PLACE RANSOMWARE ALLOWED!," followed by a winking Masha from the popular Russian "Masha and the Bear" kid's cartoon.
While there has been no official announcement by law enforcement regarding this seizure, the domain name servers have now been switched to those used by the FBI when seizing domains:
- Name Server: ns1.fbi.seized.gov
- Name Server: ns2.fbi.seized.gov
If so, law enforcement now has access to a significant amount of data tied to the forum's users, including email addresses, IP addresses, private messages, and other potentially incriminating information. For threat actors who failed to follow proper operational security (opsec), this could lead to identification and arrests.
The RAMP Cybercrime Forum's Origins
The RAMP cybercrime forum launched in July 2021, following the banning of the promotion of ransomware operations by popular Russian-speaking Exploit and XSS hacking forums. This ban was due to heightened pressure from Western law enforcement following the DarkSide ransomware attack on Colonial Pipeline.
In July 2021, a new Russian-speaking forum called RAMP launched, promoting itself as one of the last remaining places where ransomware could be openly promoted. This led to multiple ransomware gangs using the forum to promote their operations, recruit affiliates, and buy and sell access to networks.
RAMP was launched by a threat actor known as Orange, who also operated under the aliases Wazawaka and BorisElcin. Orange was previously the administrator of the Babuk ransomware operation, which shut down after its ransomware attack on the D.C. Metropolitan Police Department.
Internal disputes allegedly erupted within the group over whether stolen law enforcement data should be publicly leaked, and after the data was leaked, the group splintered. Following the split, Orange launched the RAMP forum on a Tor onion domain that Babuk had previously used.
Soon after its launch, RAMP experienced distributed denial-of-service (DDoS) attacks that disrupted its availability. Orange publicly blamed former Babuk partners for the attacks, though the previous members denied responsibility to BleepingComputer, stating they had no interest in the forum.
The individual behind the Orange and Wazawaka aliases was later publicly identified by cybersecurity journalist Brian Krebs as Russian national Mikhail Matveev. In an interview with Recorded Future's Dmitry Smilyanets, Matveev confirmed that he previously operated under the alias Orange and that he created RAMP using the former Babuk onion domain.
Matveev explained that the forum was initially created to repurpose Babuk's existing infrastructure and traffic. He claimed that RAMP ultimately generated no profit and was subjected to constant DDoS attacks, which led him to step away from managing it after it gained popularity.
In 2023, Matveev was indicted by the U.S. Department of Justice for his involvement in multiple ransomware operations, including Babuk, LockBit, and Hive, which targeted U.S. healthcare organizations, law enforcement agencies, and other critical infrastructure. He was also sanctioned by the U.S. Treasury's Office of Foreign Assets Control and placed on the FBI's most-wanted list, with the U.S. State Department offering a reward of up to $10 million for information leading to his arrest or conviction.
Impact on the Cybercrime Ecosystem
The seizure of RAMP represents a significant blow to the ransomware ecosystem, as it was one of the last major forums openly facilitating ransomware operations. The forum served as a marketplace where cybercriminals could advertise their services, recruit affiliates, and conduct business transactions related to ransomware attacks.
For law enforcement, the seizure provides access to potentially valuable intelligence, including user communications, transaction records, and operational details that could help identify and prosecute cybercriminals. The data obtained could also help map out relationships between different ransomware groups and their affiliates.
This operation follows a pattern of successful law enforcement actions against cybercrime forums and infrastructure. Recent examples include the takedown of BreachForums, the disruption of the RedVDS cybercrime virtual desktop service, and actions against various ransomware operations.
What This Means for Cybersecurity
The RAMP seizure demonstrates the ongoing commitment of law enforcement agencies to disrupt cybercrime infrastructure and hold threat actors accountable. It also serves as a reminder that even sophisticated cybercriminals who believe they operate with impunity can be identified and prosecuted.
For organizations concerned about ransomware threats, this operation highlights the importance of maintaining robust cybersecurity defenses, including regular backups, employee training, and prompt patching of vulnerabilities. While law enforcement actions can disrupt criminal operations, organizations must remain vigilant as new forums and platforms may emerge to fill the void left by RAMP's takedown.
The seizure also underscores the value of international cooperation in combating cybercrime, as these operations often involve coordination between multiple agencies across different jurisdictions.
Comments
Please log in or register to join the discussion