Leaked data from the now-seized Russian cybercrime marketplace RAMP suggests that hackers were increasingly turning to compromised VPN systems as a gateway into networks, while some malware developers were offered salaries of up to $25,000 a month.
New analysis of internal records from RAMP (Russian Anonymous Marketplace), a Russian-language cybercrime forum dismantled by the FBI in January, offers a rare glimpse into how online criminal groups bought and sold access to businesses, recruited specialists, and tracked targets.
Pro-consumer site and research firm Comparitech, which obtained an exclusive copy of the leaked database, said the records span from November 2021 to January 2024 and include user accounts, forum threats, private messages, IP logs, and administrator activity.
The data shows that remote access remained one of the most valuable commodities on the platform. The most common type sold was Remote Desktop Protocol (RDP), which appeared in 59 listings, accounting for 43% of identified offers.
While VPN access ranked second, with 22 listings (16%), there was a notable shift over time. In early 2022, RDP listings dominated, but by late 2023, VPN access listings had risen sharply, climbing from almost zero throughout 2022 to seven listings in the final quarter of 2023 – matching RDP during the same period.
Researchers said the trend likely reflects cybercriminals rapidly exploiting high-profile vulnerabilities affecting major VPN brands during 2023.
When sellers named the technology they had compromised, Cisco was most frequently mentioned. Fortinet, Citrix, SonicWall, F5 BIG-P, Pulse Secure, and RDWeb were also repeatedly referenced in listings and buyer requests.
Check if your data has been leaked
One seller using the handle “blackod” was said to have posted five separate Cisco VPN access listings for organizations in the US, Australia, Canada, and the UK during November 2023 alone, suggesting large-scale automated exploitation of a well-known flaw.
Another thread names the long-known Pulse Secure flaw (CVE-2019-11510), showing how unpatched legacy vulnerabilities are still generating access for criminals years after their disclosure.
Wanted: Android malware developer
The leaked records also offer a glimpse into an active underground labor market. In RAMP’s freelance section, one November 2022 post offered an Android malware developer between $20,000 and $25,000 per month, promising “fast and big money.”
Across the wider forum, criminals also advertised ransomware-as-a-service schemes, zero-day exploits, illegal copies of commercial penetration-testing tools, and, proving that there’s no honor among thieves, leaked ransomware builders.
The United States was the most targeted location, appearing in 40% of listings where the country was specified. Government bodies, banks, critical infrastructure operators, and retailers were among the sectors named.
Comparitech said that its findings were based on analysis of a leaked copy of RAMP’s backend MySQL database – the forum’s internal records – which gave researchers an unusually detailed look inside a major criminal marketplace before its takedown.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked