The FBI has seized the RAMP hacking forum, but will the takedown stick? History tells us otherwise

The FBI has seized the clearnet and dark web domains of the RAMP underground hacking forum, used by Ransomware as a Service (RaaS) gangs and other cyber criminals.

While there's no official statement as yet, the domains now display banners reading "The Federal Bureau of Investigation has seized RAMP."

The notice adds that the action was carried out in coordination with the US Attorney's Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.

The takedown also appears to be confirmed by "Stallman", said to be one of RAMP's owners, in an XSS hacking forum post translated from Russian and shared on X.

"With regret, I inform you that law enforcement agencies have gained control over the Ramp forum," it reads.

"Despite the fact that I no longer control Ramp and will not be creating a new forum from scratch, I will continue to buy accesses,” the statement adds. “My core business remains unchanged. If you have something you can offer me, the terms are listed in my signature, message me in private messages, and we will exchange via Jabber/Tox."

What you need to know about RAMP

RAMP - which originally stood for Russian Anonymous Marketplace - was a highly popular dark web forum that catered mainly for Russian-speaking cyber criminals, including RaaS gangs and initial access brokers.

It billed itself as the “only place ransomware allowed", and ransomware groups including Qilin, LockBit, DragonForce, RansomHub, and ALPHV/BlackCat promoted their RaaS services there.

The site also included discussion groups and cyber attack tutorials.

"The reason for its success was that it offered criminals a marketplace supporting the entire attack chain, from the ability to buy stolen credentials, promote malware or sell and purchase ransomware services," said Ben Clarke, SOC manager at CybaVerse.

Will the takedown stick?

Clarke added that while the takedown will affect criminal activity for a while, the long-term impact could be minimal.

"Anything to disrupt this activity is a positive step for defenders. But we would be naive to believe it will a tangible impact on cyber crime," he said. "New marketplaces will be formed to take RAMP’s place, while threat actors will navigate to other platforms to buy and sell services."

Law enforcement takedowns in recent years have achieved mixed results. While they do disrupt operations, forums are often revived, as with the Emotet botnet takedown in 2022. In this instance, the botnet returned with a vengeance.

This doesn't mean that these operations are futile, however. Daniel Wilcock, threat intelligence analyst at Talion, said takedowns are still a key tactic for law enforcement to stifle cyber criminal activities and gain vital intelligence.

"While this doesn't signal the end of ransomware, law enforcement will be able to gain valuable information from the seizure around the threat actors using the services, such as their emails and IP addresses plus access to the financial transactions that took place on the market," he said.

"This could support further law enforcement action against the threat actors that used the site, but given that RAMP was heavily used by Russian criminals it's highly unlikely we will see many actual arrests."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.