{"id":4303,"date":"2026-01-29T15:37:07","date_gmt":"2026-01-29T15:37:07","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/01\/29\/fbi-takes-down-ramp-ransomware-forum\/"},"modified":"2026-01-29T15:37:07","modified_gmt":"2026-01-29T15:37:07","slug":"fbi-takes-down-ramp-ransomware-forum","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/01\/29\/fbi-takes-down-ramp-ransomware-forum\/","title":{"rendered":"FBI Takes Down RAMP Ransomware Forum"},"content":{"rendered":"
\n
\n
\n

The notorious cybercriminal forum Russian Anonymous Marketplace (RAMP) has reportedly been taken down by the FBI.<\/p>\n

The news came on January 28, when several cyber threat intelligence (CTI) analysts noticed both RAMP clear and dark web sites were down and replaced by a law enforcement banner showing the message: \u201cThis site has been seized.\u201d<\/p>\n<\/div>\n

The banner says the FBI seized the site in collaboration with the US Attorney\u2019s Office for the Southern District of Florida and the US Justice Department\u2019s (DoJ) Computer Crime and Intellectual Property Section (CCIPS).<\/p>\n<\/p><\/div>\n

\"Source:
Source: Infosecurity Magazine<\/figcaption><\/figure>\n
\n

The notice also taunts the RAMP operators with a message saying, “The Only Place Ransomware Allowed!” and an image of Masha, a Russian cartoon character, winking.<\/p>\n

While thew FBI has made no official statement at the time of writing, the domains linked to RAMP now redirect to seizure notices with FBI and DoJ seals and the nameservers have been updated to ns1.fbi.seized.gov and ns2.fbi.seized.gov, confirming the seizure by US law enforcement.<\/p>\n

RAMP: The Dark Web Forum Where Ransomware Is Allowed<\/strong><\/h2>\n

RAMP was created in 2012\u00a0as a site operating on the Tor network\u00a0but rose to prominence in 2021, operated by\u00a0people linked to the now defunct Babuk ransomware group. The RAMP forum in its current form was born after XSS and Exploit, the two main dark web forums in the Russian cybercrime landscape, as well as the English-speaking BreachForums, banned ransomware discussions.<\/p>\n

The message on the FBI banner trolls RAMP\u2019s position as the sole underground marketplace where talking about ransomware was allowed.<\/p>\n

One of the individuals behind RAMP was Mikhail Matveev, a Russian national, also known under the aliases Orange, Wazawaka and BorisElcin. Matveev was arrested in Russia in 2024.<\/p>\n

Another key operator, known as \u2018Stallman,\u2019 was still the forum\u2019s administrator when the takedown occurred.<\/p>\n

Rebecca Taylor, a threat intelligence researcher at Sophos, told Infosecurity<\/em> that Stallman \u201cplayed a central role in maintaining trust, enforcing rules and managing the platform\u2019s technical operations.\u201d<\/p>\n

In a LinkedIn post shared after the takedown, Yelisey Bohuslavskiy, co-founder of intelligence firm Red Sense, explained that RAMP was created by individuals closely affiliated with the Russian security services as a response to the ransomware-as-a-service (RaaS) sprawl.<\/p>\n

He said that until 2020, Russian, Belarusian and Ukrainian services had strong visibility into the traditional, highly organized cybercriminal groups like Ryuk, Conti, REvil, Maze, Ragnar, Netwalker and others.<\/p>\n

\u201cPart of that visibility came through control over Exploit and XSS via security-affiliated admins. Then RaaS exploded. The model sprawled uncontrollably: even forum admins had zero control over affiliates. That was the problem to which RAMP was the answer,\u201d he added.<\/p>\n

According to the CTI expert, RAMP was a prime hub for new and low-to-mid-tier ransomware groups to promote themselves, offer services and \u201cbe as visible as possible.\u201d<\/p>\n

\u201cThis worked. One of the first things a new group or actor did was post on RAMP – effectively identifying themselves to the authorities. It also improved visibility into non-Russian-speaking crews and attracted the usual \u2018supply chain\u2019 sellers: logs, loaders, initial access, exploits, etc,\u201d Bohuslavskiy continued.<\/p>\n

Tammy Harper, a senior threat intelligence researcher at Flare, described RAMP as \u201cone of the most trusted ransomware-adjacent forums in the cybercrime ecosystem.\u201d<\/p>\n

She explained that the platform was \u201cwidely regarded as a high-trust escrow environment\u201d and functioned as the main discussion hub for ransomware operators, intermediaries and affiliates.<\/p>\n

Ben Clarke, a security operations center (SOC) manager at\u00a0CybaVerse, explained that the\u00a0reason for\u00a0RAMP’s\u00a0success was that “it offered criminals with a marketplace supporting the entire attack chain, from the ability to buy stolen credentials, promote malware or sell and purchase ransomware services.”<\/p>\n

Many notorious ransomware groups, including LockBit, ALPHV\/BlackCat, Conti, DragonForce, Qilin, Nova, Radiant and RansomHub, are understood to have operated on this forum at various points.<\/p>\n

RAMP Administrator Confirms Takedown, No Plans to Rebuild<\/strong><\/h2>\n

It has been reported that the individual known as Stallman issued an official comment regarding the RAMP seizure on January 28. The statement has circulated widely across underground discussion spaces.<\/p>\n

Taylor told Infosecurity<\/em>, \u201cFollowing the seizure of RAMP, Stallman publicly stated on the XSS forum that the takedown had \u2018destroyed years of my work\u2019 and confirmed there were no plans to rebuild.\u201d<\/p>\n

\u201cThe post and takedown have driven significant chatter within underground communities, reflecting heightened concern, uncertainty and loss of confidence following the takedown,\u201d she added.<\/p>\n<\/p><\/div>\n

\"Screenshot
Screenshot of the message shared on XSS by RAMP administrator known as Stallman. Source: Rebecca Taylor, Sophos<\/figcaption><\/figure>\n
\n

Sallman\u2019s decision not to create a new version of RAMP is likely linked to concerns about his own freedom. Bohuslavskiy noted that the RAMP admin is now \u201ca void asset for the Russian services\u201d and is likely next on the list following a spate of arrests of cybercriminals in 2025.<\/p>\n

Takedown<\/strong> Welcome, But Impact Limited<\/strong><\/h2>\n

The RAMP takedown represents \u201ca meaningful disruption to a core piece of criminal infrastructure,\u201d commented Flare\u2019s Harper. \u00a0<\/p>\n

Taylor told Infosecurity<\/em>, \u201cThese operations not only disrupt and dismantle criminal infrastructure, but also sow mistrust, fear, and uncertainty among threat actors. The RAMP seizure is likely to provide valuable intelligence on criminal participants and create further opportunities for law enforcement action.\u201d<\/p>\n

Giomar Salazaar, a threat intelligence analyst at Outpost24, called\u00a0the takedown \u201canother major blow to the infrastructure supporting the digital extortion ecosystem,” while\u00a0Daniel Wilcock, a threat intelligence analyst at Talion, described it as a big win for law enforcement” and said it will provide “valuable information from the seizure around the threat actors using the services,” such as their emails and IP addresses plus access to the financial transactions that took place on the market.<\/p>\n

RedSense\u2019s Bohuslavskiy welcomed any takedown of ransomware-enabling infrastructure. However, he painted a more nuanced picture of what it means for the future of cybercrime.<\/p>\n

In his LinkedIn post, he mentioned four main likely consequences:<\/p>\n