Russian ransomware forum seized by U.S. law enforcement

Posted on by Dissent

Another one bites the dust.

Earlier today, the U.S. Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice seized RAMP’s clear net and .onion sites.

RAMP (Russian Anonymous Marketplace) became a go-to Russian-language forum for ransomware operators, brokers, developers, and affiliates after all things ransomware were banned from the XSS[.]is and Exploit[in] forums in 2021 because the topic of ransomware and presence of groups such as REvil and DarkSide were attracting too much law enforcement heat.

Since its launch in 2021, RAMP has grown into a forum and marketplace used by some of the active ransomware gangs. SOC Radar has a good summary about the forum and Bleeping Computer has more on the history of the forum.

RAMP DNS

 

A WHOIS lookup of ramp4u[.io] (RAMP’s clearnet site) shows that the domain information was updated on January 28, and the domain’s nameservers now point to FBI’s well-known nameservers, ns1.fbi.seized.gov and ns2.fbi.seized.gov

 

 

As it has done with other ransomware-related seizures, the splash page seizure notice mocks the forum by repeating its motto, “The only place ransomware allowed!”

This site has been seized.The Federal Bureau of Investigation has seized RAMP [banner with "THE ONLY PLACE RANSOMWARE ALLOWED!] This action has been taken in coordination with the Unite States Attorney's Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice. Beneath the message are the shields of the FBI and DOJ and a message, "Please contact IC3.gov if you have information to report about cyber-criminal activity on RAMP"
Seizure notice on ramp4u[.]io January 28, 2026. Image: DataBreaches.net
Over on XSS, “Stallman,” widely believed to be the admin of RAMP, posted a notice about the seizure.

Stallman Ru
Stallman’s message on XSS[.pro].
An English translation of his message reads:

To whom it may concern:

I regret to inform you that law enforcement has seized control of the Ramp forum. This event has destroyed years of my work building the freest forum in the world, and while I hoped this day would never come, I always knew in my heart it was possible. It’s a risk we all take.

While I no longer manage Ramp and will not be building a new forum from scratch, I will still be purchasing access. My core business remains unchanged. If you have anything you can offer me, the terms are listed in my signature, please send me a private message and we can exchange toad/tox.

Good luck to everyone, take care of yourselves and your loved ones,

For those who had not been grandfathered into RAMP when it first opened, there was a fee of $500.00 to join. It is not clear what will happen now, but RAMP really seemed to be the premier group for the ransomware community, and the community will want to fill the gap the seizure has created.

As of publication, the DOJ has not issued any press release about the takedown, nor responded to a request for confirmation of the seizure.

 


Related:

Category: Commentaries and AnalysesMalware