FBI Seizes Russian Cybercrime Forum RAMP After Years of Facilitating Ransomware and Corporate Breaches On January 28, 2026, the FBI, in coordination with the U.S. Attorney’s Office for the Southern District of Florida, seized RAMP (Russian Anonymous Marketplace), a Russian-language cybercrime forum that operated from late 2021 until its shutdown. The platform, accessible via Tor and a clearnet mirror (ramp4u.io), served as a hub for selling corporate network access, malware, ransomware-as-a-service (RaaS) partnerships, and stolen data, catering to a global audience of cybercriminals. ### Key Findings from RAMP’s Leaked Database Researchers at Comparitech analyzed a leaked MySQL database from RAMP, covering November 2021 to January 2024, which revealed: - 7,707 registered users - 1,732 forum threads - 340,333 IP log records - 1,899 private conversations (3,875 messages) - 14 active RaaS programs and 250+ ransomware leak sites referenced ### Corporate Network Access: The First Step in Ransomware Attacks RAMP’s access marketplace was its most active section, with 333 threads offering entry points into compromised networks often the precursor to ransomware deployment. The U.S. was the top target (40% of listings), followed by the EU, Canada, and Brazil. #### Most Common Access Types Sold | Access Type | Listings | Risk Level | |--------------------------|-------------|----------------| | RDP (Remote Desktop) | 59 | Critical | | VPN (Corporate Gateways) | 22 | Critical | | SSH/Webshell | 22 | High | | Domain Admin | 12 | Critical | | Citrix | 7 | High | #### Top Targeted Industries 1. Government (21 listings) – Including a Mexican embassy, Ukrainian government, and Israeli defense infrastructure 2. Finance & Banking (11 listings) – Consolidated Bank of Ghana, AddisBank (Ethiopia) 3. Technology & Telecom (11 listings) – China Telecom, Emirates Telecom ($1.3B revenue), Taiwan Telecom 4. Energy (5 listings) – U.S. petroleum company ($1B revenue), U.S. energy firm ($800M revenue) 5. Healthcare (4 listings) – South Korean and Thai hospitals #### High-Value Victims - $16B South Korean conglomerate (most valuable listing) - $6B U.S. corporation - $5B Canadian corporation - $2.6B U.S. corporation - Toyota’s Brazilian operations ($1B+ revenue) - PEPSI’s official Asian distributor ($250M+ revenue) ### The Shift to VPN Exploitation While RDP access dominated early listings, VPN exploits surged in 2023, correlating with critical vulnerabilities in Cisco, Fortinet, and Citrix VPNs. By Q4 2023, VPN access listings matched RDP in frequency. #### Most Exploited VPN Vendors | Vendor | Mentions | Exploitation Context | |------------------|-------------|--------------------------| | Cisco | 8 | Bulk credential sales, automated scanning | | Citrix | 7 | Enterprise gateway access | | Fortinet | 3 | Known CVEs exploited | | Pulse Secure | 3 | CVE-2019-11510 referenced | | Palo Alto | 2 | Enterprise networks | One seller ("blackod") posted five Cisco VPN access listings in November 2023 alone, targeting U.S., Australian, Canadian, and UK organizations, suggesting large-scale automated exploitation. ### Ransomware-as-a-Service (RaaS) Economy RAMP hosted 60 RaaS recruitment threads, with affiliate splits reaching 90/10 by mid-2023 meaning attackers kept $900,000 per $1M ransom. #### 14 Active RaaS Programs (2021–2024) - AvosLocker, Conti, Luna, Nevada, Knight 3.0, NoEscape, Bl00dy, KUIPER, UBUD, PHOBOS (cracked builder), Zeppelin2 (source code leak), Wing 1.0 The leak of LockBit 3.0’s builder in August 2023 was particularly damaging, enabling independent operators to launch attacks without RaaS affiliation. ### Malware Marketplace & Cracked Tools RAMP’s malware section featured 121 listings, including: - Exploits & 0-days (e.g., SonicWall VPN RCE, WinRAR RCE) - Ransomware (e.g., Kakia v2, Thanos, ESXi ransomware) - Stealers (e.g., LummaC2, Mars Stealer) - Cracked pentesting tools (e.g., Cobalt Strike, Core Impact) A $25,000 crypto-stealing botnet claimed to bypass 2FA on major exchanges, while a VPN RCE 0-day was listed for $100,000. ### The Criminal Job Market RAMP’s freelance section (68 threads) functioned as a cybercrime career hub, with roles including: - Android malware developers ($20K–$25K/month) - Ransomware affiliates (70–90% of ransom payouts) - Access brokers (per-sale, $500–$50K) - Insiders (telecom, crypto exchange employees) ### Forum Growth & Law Enforcement Pressure RAMP’s activity followed a U-shaped recovery: - Peaked at 345 threads in Q4 2021 - Dropped to 67 threads in Q4 2022 (likely due to Hive ransomware takedown) - Surged to 300 threads in Q4 2023 (348% increase from trough) ### Operational Security Failures Despite Tor usage, 94 users registered with Gmail accounts, and 340,333 IP logs revealed some accessing the forum without Tor, exposing residential ISP connections. ### Private Messages: The Hidden Deals The database included 1,899 private conversations, revealing negotiations between access brokers, ransomware operators, and buyers. For example, the top seller ("inthematrix") generated 41 private deals from their listings, including one for a $16B South Korean conglomerate. ### Conclusion RAMP’s seizure marks a significant disruption in the cybercrime supply chain, but its legacy leaked ransomware builders, cracked tools, and high-value access sales continues to fuel attacks. The forum’s data underscores the global scale of corporate targeting, the shift toward VPN exploitation, and the democratization of ransomware through leaked tools.