Cybercriminals are already beginning to scatter across alternative platforms following the FBI seizure of RAMP, a long-running underground forum used by ransomware-as-a-service gangs, extortionists, and initial access brokers.
While the FBI has not yet issued a statement, the takedown became apparent on Wednesday when cyber threat intelligence analysts noticed that both RAMP’s clear web and Tor-based sites had gone offline and were replaced with law enforcement notices.
Its websites now display a notice stating: "This Site Has Been Seized," attributing the action to the FBI, in coordination with the US Attorney's Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.
DNS records also indicate that the domain has been seized.
The seizure appears to mock the forum's identity, declaring: "The Only Place Ransomware Allowed!" alongside an image of Masha – a preschool character from the Russian animated TV series – winking.
The forum’s alleged operator, known as “Stallman,” appears to have acknowledged that law enforcement has gained control of the site. Through a XSS hacking forum post shared widely on social media, Stallman said law enforcement had gained control of RAMP.
They stated that they would not create a new forum, but would ”continue to buy access,” adding that their core business remains unchanged.
History of RAMP
Created in 2012, RAMP, short for Russian Anonymous Marketplace, is a site operating on the Tor network that rose to prominence in 2021 and was operated by people linked to the now-defunct Babuk ransomware group.
The forum in its current guise was born after XSS and Exploit, the two main dark web forums in the Russian cybercrime landscape, as well as the English-speaking BreachForums, banned ransomware discussions.
It is now considered one of only a handful of forums that allow ransomware groups to participate.
No honor among thieves
There has been speculation that Stallman and others involved in the forum may have been actively helping the FBI. According to Rebecca Taylor, threat intelligence knowledge manager & researcher at Sophos, Stallman’s statement had drawn mixed reactions.
"Their post has been met by mixed responses, including praise for their efforts, as well as blame and even accusations that Stallman was involved in the takedown in some way. This remains speculatory."
Rebecca Taylor, threat intelligence researcher, Sophos
Additionally, Taylor adds, since the seizure, persona “Tor Zireael’ has come forward sharing what they claim to be the admin panel and user list of the RAMP forum.
This, alongside the RAMP takedown, has caused further mistrust, fear, and uncertainty amongst threat actors.
Short-lived victory, constant game of whack-a-mole
RAMP’s closure removes a key hub used by groups such as Nova, Radiant, GOLD MYSTIC (LockBit), GOLD FLAME (DragonForce), and GOLD FEATHER (Qilin) threat groups. However, any victory by law enforcement is short-lived as they play a constant game of whack-a-mole.
CTU researchers note that while past disruptions of groups such as Emotet, along with site takedowns like those affecting BreachForums and XSS, have temporarily disrupted activity, threat actors have historically migrated quickly to alternative forums, channels, and infrastructure rather than dismantling their operations entirely.
Nonetheless, Danny Jenkins, CEO at zero trust security firm ThreatLocker observes, much like Silk Road served as an entry point for aspiring criminals on the dark web, RAMP was well known enough that aspiring cybercriminals viewed the services offered there as a reliable starting point.
“Shutting down sites like RAMP is often described as a game of whack-a-mole, but taking a platform like this offline does slow cybercriminal growth and creates a real barrier for newer entrants into cybercrime."
Danny Jenkins, CEO, ThreatLocker
Jenkins adds that, while it's possible that some groups attempt to launch their own forums, it’s not something that happens quickly or easily.
“RAMP took years to grow and reach the level of prominence it ultimately achieved,” he notes.
Affiliates and service providers are likely to migrate quickly to alternative forums or encrypted messaging platforms such as Telegram, favored by key ransomware operators such as Scattered Lapsu$ Hunters.
For now, the most immediate effect of this takedown is psychological rather than operational – a collapse in trust in shared forums and a fear that even long-standing criminal platforms can disappear overnight.
Unlock more exclusive Cybernews content on YouTube
Your email address will not be published. Required fields are markedmarked