- 888
- 245
The FBI has seized the notorious cybercrime forum RAMP , a platform used to advertise a wide range of malware and hacking services, and one of the few remaining forums openly allowing ransomware operations to be promoted.
Both the Tor version of the forum and its clearnet domain, ramp4u[.]io, now display a takedown notice stating,
"The Federal Bureau of Investigation has seized RAMP."
"This action was taken in coordination with the U.S. Attorney's Office for the Southern District of Florida and the U.S. Department of Justice's Computer Crime and Intellectual Property Section," the notice states. The takedown banner also appears to mock the forum's operators: it displays RAMP's own slogan, "THE ONLY PLACE RANSOMWARE ALLOWED!", followed by a winking Masha from the popular Russian children's cartoon "Masha and the Bear." While no official statement from law enforcement regarding the seizure has been released, the domain's DNS servers have been switched to those used by the FBI when seizing domains. If this is true, law enforcement now has access to a significant amount of data related to forum users, including email addresses, IP addresses, private messages, and other potentially compromising information. For threat actors who haven't maintained adequate operational security (OPSEC), this could lead to identification and arrests. In a post on the hacker forum XSS, one of the alleged former RAMP operators, going by the handle Stallman, confirmed the seizure. "I regret to inform you that law enforcement has seized control of the RAMP forum," the translated forum post reads. "This event has destroyed years of my work building the most free forum in the world, and while I hoped this day would never come, deep down I always knew it was possible. It's a risk we all take." The RAMP cybercrime forum was launched in July 2021 after popular Russian-language Exploit and XSS forums banned the promotion of ransomware operations. This ban was due to increased pressure from Western law enforcement agencies following the DarkSide ransomware attack on Colonial Pipeline.
In July 2021, a new Russian-language forum called RAMP was launched, positioning itself as one of the last places where ransomware could be openly advertised. This led to several ransomware groups using the forum to promote their operations, recruit affiliates, and buy and sell network access.
RAMP was launched by a threat actor known as Orange , who also used the aliases Wazawaka and BorisElcin . Orange
had previously been the administrator of the Babuk ransomware operation , which shut down after attacking the District of Columbia Police Department. The group allegedly had internal disputes over whether to publicly leak stolen data from law enforcement, and after publishing it, the group disbanded. Following the split, Orange launched the RAMP forum on the Tor-onion domain previously used by Babuk . Shortly after its launch, RAMP was hit by distributed denial-of-service (DDoS) attacks, disrupting its availability. Orange publicly blamed former Babuk partners for the attacks , but the former members denied any involvement, stating they had no interest in the forum. The identity of the person hiding behind the Orange and Wazawaka pseudonyms was later publicly revealed by cybersecurity journalist Brian Krebs to be Russian citizen Mikhail Matveev . In an interview with Dmitry Smilyanets of Recorded Future, Matveev confirmed that he had previously operated under the name Orange and that he created RAMP using Babuk's former onion domain . Matveev explained that the forum was initially created to reuse Babuk's existing infrastructure and traffic . He claimed that RAMP ultimately failed to generate profit and was constantly subject to DDoS attacks, leading him to step down from managing the forum after its popularity grew. In 2023, Matveyev was indicted by the US Department of Justice for his role in several ransomware operations, including Babuk , LockBit , and Hive , that targeted US healthcare organizations, law enforcement agencies, and other critical infrastructure.
He was also placed on the US Treasury Department's Office of Foreign Assets Control sanctions list and the FBI's Most Wanted list, with the US State Department offering a reward of up to $10 million for information leading to his arrest or conviction.
Both the Tor version of the forum and its clearnet domain, ramp4u[.]io, now display a takedown notice stating,
"The Federal Bureau of Investigation has seized RAMP."
"This action was taken in coordination with the U.S. Attorney's Office for the Southern District of Florida and the U.S. Department of Justice's Computer Crime and Intellectual Property Section," the notice states. The takedown banner also appears to mock the forum's operators: it displays RAMP's own slogan, "THE ONLY PLACE RANSOMWARE ALLOWED!", followed by a winking Masha from the popular Russian children's cartoon "Masha and the Bear." While no official statement from law enforcement regarding the seizure has been released, the domain's DNS servers have been switched to those used by the FBI when seizing domains. If this is true, law enforcement now has access to a significant amount of data related to forum users, including email addresses, IP addresses, private messages, and other potentially compromising information. For threat actors who haven't maintained adequate operational security (OPSEC), this could lead to identification and arrests. In a post on the hacker forum XSS, one of the alleged former RAMP operators, going by the handle Stallman, confirmed the seizure. "I regret to inform you that law enforcement has seized control of the RAMP forum," the translated forum post reads. "This event has destroyed years of my work building the most free forum in the world, and while I hoped this day would never come, deep down I always knew it was possible. It's a risk we all take." The RAMP cybercrime forum was launched in July 2021 after popular Russian-language Exploit and XSS forums banned the promotion of ransomware operations. This ban was due to increased pressure from Western law enforcement agencies following the DarkSide ransomware attack on Colonial Pipeline.
In July 2021, a new Russian-language forum called RAMP was launched, positioning itself as one of the last places where ransomware could be openly advertised. This led to several ransomware groups using the forum to promote their operations, recruit affiliates, and buy and sell network access.
RAMP was launched by a threat actor known as Orange , who also used the aliases Wazawaka and BorisElcin . Orange
had previously been the administrator of the Babuk ransomware operation , which shut down after attacking the District of Columbia Police Department. The group allegedly had internal disputes over whether to publicly leak stolen data from law enforcement, and after publishing it, the group disbanded. Following the split, Orange launched the RAMP forum on the Tor-onion domain previously used by Babuk . Shortly after its launch, RAMP was hit by distributed denial-of-service (DDoS) attacks, disrupting its availability. Orange publicly blamed former Babuk partners for the attacks , but the former members denied any involvement, stating they had no interest in the forum. The identity of the person hiding behind the Orange and Wazawaka pseudonyms was later publicly revealed by cybersecurity journalist Brian Krebs to be Russian citizen Mikhail Matveev . In an interview with Dmitry Smilyanets of Recorded Future, Matveev confirmed that he had previously operated under the name Orange and that he created RAMP using Babuk's former onion domain . Matveev explained that the forum was initially created to reuse Babuk's existing infrastructure and traffic . He claimed that RAMP ultimately failed to generate profit and was constantly subject to DDoS attacks, leading him to step down from managing the forum after its popularity grew. In 2023, Matveyev was indicted by the US Department of Justice for his role in several ransomware operations, including Babuk , LockBit , and Hive , that targeted US healthcare organizations, law enforcement agencies, and other critical infrastructure.
He was also placed on the US Treasury Department's Office of Foreign Assets Control sanctions list and the FBI's Most Wanted list, with the US State Department offering a reward of up to $10 million for information leading to his arrest or conviction.