All About RAMP Ransomware Forum

Brief Bio: RAMP

• Launch date: July 2021
• Main language: Russian, Chinese, English
• Registered member count: 14K 
• Main topics: Ransomware

How did RAMP start?

RAMP is a Russian cybercriminal dark web forum previously known as Payload.bin. Its story begins back in 2012 when it was first established as a site operating on the Tor network.

Primarily catering to Russian audiences, RAMP quickly gained a reputation as the premier go-to source for drug transactions within Russian borders. Aside from its active marketplace, the platform also operates a forum where discussions could take place. 

But in 2017, in an unexpected move, the Russian Ministry of Internal Affairs seized the site. Several years later, in 2021, a new site, very similar to its predecessor, emerged on the dark web, with a focus on illicit activities, including a partner program for ransomware groups, a malware section, and a section dedicated to trading access to corporate accounts. 

The Russian cybercriminal forum welcomed a diverse crowd of users as its administrator opened it up to Mandarin and English-speaking threat actors.

A new admin, initially named TetyaSluha (now Orange), announced it is now a place where ransomware affiliates can be protected from ransomware programs. RAMP’s administrator was linked to the Babuk ransomware group and was founded to connect with affiliates operating in a ransomware-as-a-service (RaaS) model, a model that allows affiliates to perform ransomware attacks using pre-developed tools. The affiliates get a commission for each completed (successful) ransomware payment. 

This affiliated program makes the RAMP forum unique because after the attack on the colonial pipeline in 2021, most deep and dark web forums prohibited ransomware groups from running such programs. XSS and Exploit, two other Russian darknet forums which were popular meeting places for cybercriminals associated with the DarkSide and REvil ransomware gangs, were banned following the attack.

Unlike these forums, RAMP became a safe haven for ransomware groups to carry out their activities, such as finding new hackers or selling initial access. 

Where’s RAMP now?

On July 23, 2021, RAMP experienced a spam attack. A threat actor demanded a $5,000 ransom to avoid spamming. The admin refused to pay the ransom and over the following days, multiple users were posting porn GIFs in all sections and threads of the forum. 

Following the incident, many users were deleted from the forum. The admin, who had previously looked for someone capable of auditing the forum’s security for $2,000, stated the forum would be relaunched using a new engine built from scratch. 

First, the admin “cleaned” the forum and deleted most of the users, and then on July 27, 2021, he restricted access to the forum.

How to access RAMP?

On August 13, 2021, the RAMP forum was relaunched and registration became available. To be able to register, there are several criteria one has to fulfill:

• Registrated to XSS and Exploit forums for at least two months 
• Publish at least 10 posts on one of these forums 
• Good reputation 

 After users are approved, they can access the forum.

Besides these criteria, for those who do not want to expose their profiles and remain anonymous, registration can be completed in exchange for $500, which is considered a higher fee in comparison to other forums. 

For example, a premium user on XSS costs $120 per year. This is notable since Russian cybercriminals are not used to paying fees to access forums, especially high fees.

The affiliate program that RAMP offers includes a closed community for people that meet specific criteria, which makes it an important forum for many threat actors.

The need to monitor RAMP

The revamped RAMP forum not only operates as a forum but also as a market that includes the sale of different illicit data like malware, and data leaks. Since it also serves as a RaaS, it is used by threat actors to compromise individuals and organizations.

With over 14,000 members, the site uses Tor and some escrow features like Silk Road-like darknet markets, but otherwise, many deals take place off-site using off-the-record messaging. It is the longest-lived darknet market, running from September 2012 to July 2017, inspired by the success of the Silk Road. The administrator claims the site makes around $250,000 a year and avoids law enforcement attention due to its predominant Russian user base and its ban on the sale of goods and services such as hacking.

What’s next?

With cybercriminals continuing to develop their methods and tools, the need to monitor upcoming threats will only increase.

We predict that the need for timely and quality intelligence will continue to become critical to all brands, organizations, and law enforcement as they strive to protect against cyber threats. 

We at Webz.io will continue to work with leading global monitoring enterprises and intelligence organizations to help them easily detect threats on the deep and dark web.