FBI seizes RAMP cybercrime forum used to promote ransomware operations

The Federal Bureau of Investigation has seized control of the RAMP cybercrime forum, a notorious online marketplace used to advertise malware, hacking services and ransomware operations, taking down both its Tor-based site and its clearnet domain, ramp4u[.]io, which now display a federal seizure notice.

The notice states that the action was carried out in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice. The banner incorporates RAMP’s own slogan, “THE ONLY PLACE RANSOMWARE ALLOWED!,” alongside an image of the cartoon character Masha, appearing to mock the forum’s operators.

Technical indicators of the takeover include the forum’s domain name servers being switched to infrastructure commonly used in federal seizures, with ns1.fbi.seized.gov and ns2.fbi.seized.gov now listed. The seizure potentially grants law enforcement access to extensive user data tied to the forum, including email addresses, IP addresses, private messages and other records that could be used in criminal investigations. Individuals who failed to maintain strict operational security could face identification and arrest.

One of the forum’s alleged former operators, known online as “Stallman,” acknowledged the seizure in a post on the XSS hacking forum, stating that law enforcement had taken control of RAMP and describing the loss of years of work building what he called a free forum. No official public announcement has been issued by authorities, and the FBI declined to comment when contacted about the operation.

RAMP launched in July 2021 after major Russian-speaking hacking forums banned the promotion of ransomware operations amid heightened pressure from Western law enforcement following the DarkSide ransomware attack on Colonial Pipeline. The new forum marketed itself as one of the few remaining spaces where ransomware activity could be openly advertised, quickly attracting multiple ransomware groups that used it to recruit affiliates and trade access to compromised networks.

The forum was created by a threat actor known as Orange, who also used the aliases Wazawaka and BorisElcin and previously served as an administrator of the Babuk ransomware operation. Babuk shut down after its attack on the Metropolitan Police Department of the District of Columbia, following internal disputes over the handling of stolen law enforcement data. After the group fractured, Orange launched RAMP using a Tor onion domain previously associated with Babuk.

RAMP’s early operation was disrupted by repeated distributed denial-of-service attacks. Orange publicly blamed former Babuk associates, though those individuals denied involvement and said they had no interest in the forum. The person behind the Orange and Wazawaka identities was later publicly identified as Russian national Mikhail Matveev.

Matveev later acknowledged that he had operated under the Orange alias and created RAMP to repurpose Babuk’s existing infrastructure and traffic, saying the forum generated no profit and was plagued by constant attacks that led him to step away from its management. In 2023, he was indicted by the U.S. Department of Justice for his role in multiple ransomware operations, including Babuk, LockBit and Hive, which targeted U.S. healthcare organizations, law enforcement agencies and other critical infrastructure.

Matveev was also sanctioned by the Office of Foreign Assets Control and placed on the FBI’s most-wanted list, with the United States Department of State offering a reward of up to $10 million for information leading to his arrest or conviction.