FBI seizes RAMP cybercrime forum linked to ransomware operations

The takedown removes one of the last major forums that openly allowed ransomware advertising.

What happened

The FBI has seized the RAMP cybercrime forum, a platform widely used by ransomware operators to advertise services, recruit affiliates, and trade access to compromised networks. Reporting by BleepingComputer confirmed that both RAMP’s Tor site and its clearnet domain were taken offline and replaced with a federal seizure notice. The notice states that the action was carried out as part of a coordinated law enforcement operation. The seizure banner appears to mock the forum’s operators, displaying RAMP’s own slogan, “THE ONLY PLACE RANSOMWARE ALLOWED!”, alongside a winking image of Masha from the Russian children’s cartoon Masha and the Bear. Domain records now point to law enforcement-controlled name servers, indicating authorities have assumed control of the forum’s infrastructure.

Going deeper

RAMP surfaced in mid-2021 after several major Russian-language hacking forums banned ransomware advertising following increased attention from Western law enforcement. It quickly stepped in to fill the gap, presenting itself as a place where ransomware operations could continue openly. That stance attracted multiple criminal groups seeking affiliates, access brokers, and other services. Investigators believe the seizure of the forum may give authorities access to user data, including private messages, registration details, and activity logs. For participants who did not maintain strict operational security, the takedown could expose past communications tied to criminal activity. A user claiming to be a RAMP administrator later acknowledged the seizure, confirming that law enforcement had taken control of the platform.

In the know

RAMP was launched by a threat actor known as Orange, who also operated under the aliases Wazawaka and BorisElcin. Orange previously ran the Babuk ransomware operation, which unraveled after a high-profile attack on the Washington, DC Metropolitan Police Department. Reports indicate the group fractured amid internal disputes over whether stolen law enforcement data should be released publicly. Once the data was leaked, Babuk effectively collapsed. Afterward, Orange reused Babuk’s existing Tor infrastructure to launch the RAMP forum on the same onion domain.

The individual behind the Orange persona was later identified by cybersecurity journalist Brian Krebs as Russian national Mikhail Matveev. In an interview with Recorded Future, Matveev confirmed that he created RAMP using Babuk’s former infrastructure, saying the goal was to reuse existing traffic. He said the forum generated little profit and was repeatedly disrupted by DDoS attacks. In 2023, Matveev was indicted by the U.S. Department of Justice for alleged involvement in Babuk, LockBit, and Hive ransomware operations. He was also sanctioned by the Office of Foreign Assets Control, placed on the Federal Bureau of Investigation’s most-wanted list, and became the subject of a U.S. Department of State reward of up to $10 million for information leading to his arrest.

What was said

US law enforcement has not issued a detailed public statement beyond the seizure notice displayed on the forum. The banner states that the takedown was conducted “in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice,” confirming the action was part of a coordinated federal operation. The Federal Bureau of Investigation declined to comment further when contacted by reporters.

Following the takedown, an individual claiming to be associated with RAMP acknowledged the seizure in a post on the XSS hacking forum. “I regret to inform you that law enforcement has seized control of the Ramp forum,” the translated message reads. The individual added that the action had “destroyed years of my work building the freest forum in the world,” while admitting that the risk of law enforcement intervention had always existed.

Security researchers say the shutdown is likely to disrupt ransomware recruitment and coordination, as RAMP served as a central hub for affiliates, malware vendors, and criminal intermediaries.

FAQs

Why was RAMP considered significant among cybercrime forums?

It was one of the few remaining platforms that openly permitted ransomware advertising after similar forums banned the activity.

What information might law enforcement obtain from the seizure?

Authorities may gain access to user accounts, private messages, email addresses, IP data, and transaction-related communications stored on the forum.

Does a forum seizure immediately stop ransomware attacks?

No. Attacks can continue, but the loss of shared infrastructure disrupts recruitment, coordination, and trust within criminal networks.

What typically happens after a major forum takedown?

Threat actors often migrate to alternative forums, encrypted messaging platforms, or invite-only communities, which can slow operations and increase exposure risk.

How does this affect organizations targeted by ransomware?

Forum seizures can weaken criminal coordination, but organizations should continue focusing on prevention, detection, and response, as individual groups may still operate independently.