In a bold move that has sent shockwaves through the cybercrime underworld, the FBI has taken down the infamous RAMP cybercrime forum, a notorious hub for ransomware gangs and other malicious actors. But here's where it gets controversial: while many celebrate this as a victory against cybercrime, others argue it may simply drive these activities further underground, making them harder to track. And this is the part most people miss—the takedown could potentially expose a treasure trove of data about the forum's users, but it also raises questions about the effectiveness of such actions in the long term.
The RAMP forum, accessible via both its Tor site and clearnet domain (ramp4u[.]io), now displays a seizure notice that reads, 'The Federal Bureau of Investigation has seized RAMP.' This action was coordinated with the United States Attorney's Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice. Interestingly, the notice includes RAMP's own slogan, 'THE ONLY PLACE RANSOMWARE ALLOWED!,' alongside a winking image of Masha from the popular Russian children's cartoon 'Masha and the Bear,' adding a touch of irony to the takedown.
While there has been no official statement from law enforcement, the domain name servers have been switched to those used by the FBI during seizures: ns1.fbi.seized.gov and ns2.fbi.seized.gov. This shift suggests that authorities now have access to a wealth of data tied to the forum's users, including email addresses, IP addresses, private messages, and other potentially incriminating information. For threat actors who neglected operational security (opsec), this could spell trouble, leading to identifications and arrests.
In a post on the XSS hacking forum, a user known as 'Stallman,' allegedly a former RAMP operator, confirmed the seizure. 'I regret to inform you that law enforcement has seized control of the Ramp forum,' the translated post reads. 'This event has destroyed years of my work building the freest forum in the world. While I hoped this day would never come, I always knew it was a possibility. It's a risk we all take.' When contacted, the FBI declined to comment on the matter.
The Rise and Fall of RAMP
RAMP emerged in July 2021 as a response to the banning of ransomware promotions on popular Russian-speaking forums like Exploit and XSS. This ban came amid heightened pressure from Western law enforcement following the DarkSide ransomware attack on Colonial Pipeline. Positioning itself as one of the last remaining platforms where ransomware could be openly promoted, RAMP quickly attracted multiple ransomware gangs. These groups used the forum to advertise their operations, recruit affiliates, and buy and sell access to compromised networks.
The forum was launched by a threat actor known as Orange, who also operated under the aliases Wazawaka and BorisElcin. Orange had previously administered the Babuk ransomware operation, which disbanded after its attack on the D.C. Metropolitan Police Department. Internal disputes over the public leaking of stolen law enforcement data led to the group's splintering, and Orange subsequently repurposed Babuk's Tor onion domain to create RAMP.
Shortly after its launch, RAMP faced distributed denial-of-service (DDoS) attacks that disrupted its operations. Orange publicly accused former Babuk members of orchestrating these attacks, though they denied involvement. Later, cybersecurity journalist Brian Krebs identified the individual behind the Orange and Wazawaka aliases as Russian national Mikhail Matveev. In an interview, Matveev confirmed his role in creating RAMP, claiming the forum generated no profit and was plagued by constant DDoS attacks, leading him to step away from its management.
In 2023, Matveev was indicted by the U.S. Department of Justice for his involvement in multiple ransomware operations, including Babuk, LockBit, and Hive, which targeted U.S. healthcare organizations, law enforcement agencies, and critical infrastructure. He was also sanctioned by the U.S. Treasury and placed on the FBI's most-wanted list, with a $10 million reward offered for his arrest or conviction.
The Bigger Picture
While the takedown of RAMP is undoubtedly a significant blow to cybercrime, it raises important questions. Will this simply push these activities into darker, more hidden corners of the internet? And what does this mean for the future of cybersecurity? Here’s a thought-provoking question for you: Is taking down forums like RAMP an effective long-term strategy, or does it merely treat the symptoms of a much larger problem? Share your thoughts in the comments below—we’d love to hear your perspective!
