Dark web cybercriminals vow to fight on after FBI seizure of Ramp forum
"This event has destroyed years of my work creating the freest forum in the world," Ramp's alleged operator wrote after the seizure.
The FBI has seized control of the notorious Russian-speaking cybercrime forum Ramp, which famously described itself as "the only place ransomware is allowed".
Cops commandeered both the clearnet and darknet versions of Ramp, posting a takedown notice that displayed the site's banner, featuring a character from the Russian kids' cartoon, "Masha and the Bear".
Name servers of the domains appear to have swapped to servers the FBI uses whenever it takes control of an illegal site.
Although the FBI has not yet confirmed the takedown, figures allegedly linked to the forum have published posts vowing that the operation would not shut down their criminal operations entirely - although Ramp is almost certainly now dead and buried forever.
In a message shared on the forum XSS, a person called Stellman, who is alleged to be one of Ramp's bosses, said he would continue to purchase access to hacked systems and continue his criminal operations in a different form (assuming we have translated his message from Russian correctly).
Stellman wrote: "I regret to inform you that law enforcement agencies have gained control of the Ramp forum. This event has destroyed years of my work creating the freest forum in the world, and although I hoped this day would never come, deep down I always understood that it was possible. This is a risk we all take.
"Despite the fact that I no longer control Ramp and will not create a new forum from scratch, I will continue to buy accesses. My main business remains unchanged. If you have something you can offer me, the terms are listed in my signature—write to me in private messages and we will exchange Jabber/Tox.
"Good luck to everyone. Take care of yourselves and your loved ones."
READ MORE: Dark web dealers halt US shipments as Trump scraps "catastrophic" border loophole
SOCRadar, makers of an Extended Threat Intelligence (XTI) SaaS platform, described RAMP - which stands for Russian Anonymous Marketplace- as "one of the most active and strategically significant ransomware forums on the dark web."
"It serves as a central platform for the Ransomware-as-a-Service (RaaS) ecosystem, bringing together ransomware operators, affiliates, and initial access brokers to share intelligence, advertise services, and trade intrusion tools," the security firm wrote.
"The forum was launched on the same domain previously used by the Babuk ransomware data leak site and its short-lived successor, Payload.bin. This continuity allowed RAMP to quickly gain visibility and credibility within the underground community."
READ MORE: Dark web Initial Access Brokers are selling hacked network access for as little as $500, study reveals
It was an updated version of a forum called RAMP, which operated between 2012 and 2017 as a drug marketplace for Russian users (no pun intended).
After Russian cops dismantled RAMP, it resurfaced in a new form, focusing on ransomware and cyber-extortion.
"Operating both on the clearnet and as a .onion service within the Tor network, RAMP ensures layered anonymity for its users and administrators," SOCRadar wrote. "This dual infrastructure allows ransomware groups, affiliates, and brokers to coordinate campaigns, sell stolen data, and exchange tools under the protection of high operational security, solidifying its role as a core component of the global RaaS landscape."
