Thursday, January 29, 2026
Latest:

Threatshub.org sponsored-Post

The Register

Ransomware crims forced to take off-RAMP as FBI seizes forum

TH Author

Ransomware crims have just lost one of their best business platforms. US law enforcement has seized the notorious RAMP cybercrime forum’s dark web and clearnet domains.

RAMP, which stands for Russian Anonymous Marketplace, was an online souk, favored by ransomware-as-a-service gangs, extortionists, initial access brokers, and other miscreants specializing in digital crime. Its websites now say “This Site Has Been Seized,” with the notice attributing the takedown to the FBI in coordination with the US Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.

The feds also trolled the forum’s operators with a banner saying “The Only Place Ransomware Allowed!” and an image of Masha – a preschool character from the Russian animated TV series – winking.

While the FBI declined to comment on the seizure, DNS records show that the federal cops have seized the domains.

The takedown also appears to be confirmed by one of the forum’s alleged operators who goes by “Stallman.” In an XSS hacking forum post shared widely on social media, Stallman said law enforcement had gained control of RAMP.

“This event destroyed years of my work to create the most free forum in the world, and although I hoped this day would never come, deep down I always understood that it was possible,” he wrote. “This is the risk we all take.”

Stallman said he could not create a new forum, but will “continue to buy accesses. My core business remains unchanged.”

It’s highly unlikely impossible that this takedown signals the end of ransomware and other crime crews who used RAMP’s websites to buy and sell malware and exploits and recruit affiliates. Much like horror-movie monsters, cybercrime forums never really die, and their users will likely scatter to other underground marketplaces to buy and sell their illicit services.

Still, “its loss represents a meaningful disruption to a core piece of criminal infrastructure,” Tammy Harper, a senior threat intelligence researcher at Flare who specializes in ransomware research, told The Register.

“As with previous takedowns, the removal of a major hub does not eliminate the ecosystem – it forces migration,” Harper said. “Groups such as Nova and DragonForce are reportedly shifting activity toward Rehub, illustrating the underground’s ability to reconstitute quickly in alternative spaces. These transitions are often chaotic, opening new risks for threat actors: loss of reputation, escrow instability, operational exposure, and infiltration during the scramble to rebuild trust.”

Plus, she added, these types of law enforcement seizures provide “rare opportunities” for network defenders and threat intel teams: “not only to disrupt ongoing criminal collaboration, but potentially to collect insight into affiliate networks, financial relationships, and operational security failures.” ®

READ MORE HERE