FBI Seizes Russian Cybercrime Forum RAMP After Years of Facilitating Ransomware and Corporate Breaches
On January 28, 2026, the FBI, in coordination with the U.S. Attorney’s Office for the Southern District of Florida, seized RAMP (Russian Anonymous Marketplace), a Russian-language cybercrime forum that operated from late 2021 until its shutdown. The platform, accessible via Tor and a clearnet mirror (ramp4u.io), served as a hub for selling corporate network access, malware, ransomware-as-a-service (RaaS) partnerships, and stolen data, catering to a global audience of cybercriminals.
Key Findings from RAMP’s Leaked Database
Researchers at Comparitech analyzed a leaked MySQL database from RAMP, covering November 2021 to January 2024, which revealed:
- 7,707 registered users
- 1,732 forum threads
- 340,333 IP log records
- 1,899 private conversations (3,875 messages)
- 14 active RaaS programs and 250+ ransomware leak sites referenced
Corporate Network Access: The First Step in Ransomware Attacks
RAMP’s access marketplace was its most active section, with 333 threads offering entry points into compromised networks often the precursor to ransomware deployment. The U.S. was the top target (40% of listings), followed by the EU, Canada, and Brazil.
Most Common Access Types Sold
| Access Type | Listings | Risk Level |
|---|---|---|
| RDP (Remote Desktop) | 59 | Critical |
| VPN (Corporate Gateways) | 22 | Critical |
| SSH/Webshell | 22 | High |
| Domain Admin | 12 | Critical |
| Citrix | 7 | High |
Top Targeted Industries
- Government (21 listings) – Including a Mexican embassy, Ukrainian government, and Israeli defense infrastructure
- Finance & Banking (11 listings) – Consolidated Bank of Ghana, AddisBank (Ethiopia)
- Technology & Telecom (11 listings) – China Telecom, Emirates Telecom ($1.3B revenue), Taiwan Telecom
- Energy (5 listings) – U.S. petroleum company ($1B revenue), U.S. energy firm ($800M revenue)
- Healthcare (4 listings) – South Korean and Thai hospitals
High-Value Victims
- $16B South Korean conglomerate (most valuable listing)
- $6B U.S. corporation
- $5B Canadian corporation
- $2.6B U.S. corporation
- Toyota’s Brazilian operations ($1B+ revenue)
- PEPSI’s official Asian distributor ($250M+ revenue)
The Shift to VPN Exploitation
While RDP access dominated early listings, VPN exploits surged in 2023, correlating with critical vulnerabilities in Cisco, Fortinet, and Citrix VPNs. By Q4 2023, VPN access listings matched RDP in frequency.
Most Exploited VPN Vendors
| Vendor | Mentions | Exploitation Context |
|---|---|---|
| Cisco | 8 | Bulk credential sales, automated scanning |
| Citrix | 7 | Enterprise gateway access |
| Fortinet | 3 | Known CVEs exploited |
| Pulse Secure | 3 | CVE-2019-11510 referenced |
| Palo Alto | 2 | Enterprise networks |
One seller ("blackod") posted five Cisco VPN access listings in November 2023 alone, targeting U.S., Australian, Canadian, and UK organizations, suggesting large-scale automated exploitation.
Ransomware-as-a-Service (RaaS) Economy
RAMP hosted 60 RaaS recruitment threads, with affiliate splits reaching 90/10 by mid-2023 meaning attackers kept $900,000 per $1M ransom.
14 Active RaaS Programs (2021–2024)
- AvosLocker, Conti, Luna, Nevada, Knight 3.0, NoEscape, Bl00dy, KUIPER, UBUD, PHOBOS (cracked builder), Zeppelin2 (source code leak), Wing 1.0
The leak of LockBit 3.0’s builder in August 2023 was particularly damaging, enabling independent operators to launch attacks without RaaS affiliation.
Malware Marketplace & Cracked Tools
RAMP’s malware section featured 121 listings, including:
- Exploits & 0-days (e.g., SonicWall VPN RCE, WinRAR RCE)
- Ransomware (e.g., Kakia v2, Thanos, ESXi ransomware)
- Stealers (e.g., LummaC2, Mars Stealer)
- Cracked pentesting tools (e.g., Cobalt Strike, Core Impact)
A $25,000 crypto-stealing botnet claimed to bypass 2FA on major exchanges, while a VPN RCE 0-day was listed for $100,000.
The Criminal Job Market
RAMP’s freelance section (68 threads) functioned as a cybercrime career hub, with roles including:
- Android malware developers ($20K–$25K/month)
- Ransomware affiliates (70–90% of ransom payouts)
- Access brokers (per-sale, $500–$50K)
- Insiders (telecom, crypto exchange employees)
Forum Growth & Law Enforcement Pressure
RAMP’s activity followed a U-shaped recovery:
- Peaked at 345 threads in Q4 2021
- Dropped to 67 threads in Q4 2022 (likely due to Hive ransomware takedown)
- Surged to 300 threads in Q4 2023 (348% increase from trough)
Operational Security Failures
Despite Tor usage, 94 users registered with Gmail accounts, and 340,333 IP logs revealed some accessing the forum without Tor, exposing residential ISP connections.
Private Messages: The Hidden Deals
The database included 1,899 private conversations, revealing negotiations between access brokers, ransomware operators, and buyers. For example, the top seller ("inthematrix") generated 41 private deals from their listings, including one for a $16B South Korean conglomerate.
Conclusion
RAMP’s seizure marks a significant disruption in the cybercrime supply chain, but its legacy leaked ransomware builders, cracked tools, and high-value access sales continues to fuel attacks. The forum’s data underscores the global scale of corporate targeting, the shift toward VPN exploitation, and the democratization of ransomware through leaked tools.
PepsiCo cybersecurity rating report: https://www.rankiteo.com/company/pepsico
"id": "PEP1776869574",
"linkid": "pepsico",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Diplomacy',
'location': 'Mexico',
'name': 'Mexican embassy',
'type': 'Government'},
{'industry': 'Public Sector',
'location': 'Ukraine',
'name': 'Ukrainian government',
'type': 'Government'},
{'industry': 'Defense',
'location': 'Israel',
'name': 'Israeli defense infrastructure',
'type': 'Government'},
{'industry': 'Banking',
'location': 'Ghana',
'name': 'Consolidated Bank of Ghana',
'type': 'Financial Institution'},
{'industry': 'Banking',
'location': 'Ethiopia',
'name': 'AddisBank',
'type': 'Financial Institution'},
{'industry': 'Telecommunications',
'location': 'China',
'name': 'China Telecom',
'type': 'Corporation'},
{'industry': 'Telecommunications',
'location': 'UAE',
'name': 'Emirates Telecom',
'size': '$1.3B revenue',
'type': 'Corporation'},
{'industry': 'Telecommunications',
'location': 'Taiwan',
'name': 'Taiwan Telecom',
'type': 'Corporation'},
{'industry': 'Energy',
'location': 'United States',
'name': 'U.S. petroleum company',
'size': '$1B revenue',
'type': 'Corporation'},
{'industry': 'Energy',
'location': 'United States',
'name': 'U.S. energy firm',
'size': '$800M revenue',
'type': 'Corporation'},
{'industry': 'Healthcare',
'location': 'South Korea',
'name': 'South Korean hospital',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'Thailand',
'name': 'Thai hospital',
'type': 'Healthcare Provider'},
{'industry': 'Conglomerate',
'location': 'South Korea',
'name': 'Unnamed South Korean conglomerate',
'size': '$16B revenue',
'type': 'Corporation'},
{'location': 'United States',
'name': 'Unnamed U.S. corporation',
'size': '$6B revenue',
'type': 'Corporation'},
{'location': 'Canada',
'name': 'Unnamed Canadian corporation',
'size': '$5B revenue',
'type': 'Corporation'},
{'location': 'United States',
'name': 'Unnamed U.S. corporation',
'size': '$2.6B revenue',
'type': 'Corporation'},
{'industry': 'Automotive',
'location': 'Brazil',
'name': 'Toyota’s Brazilian operations',
'size': '$1B+ revenue',
'type': 'Corporation'},
{'industry': 'Food & Beverage',
'location': 'Asia',
'name': 'PEPSI’s official Asian distributor',
'size': '$250M+ revenue',
'type': 'Corporation'}],
'attack_vector': ['Forum-based access sales',
'Ransomware-as-a-Service (RaaS)',
'Malware distribution',
'VPN exploitation',
'RDP exploitation'],
'data_breach': {'data_exfiltration': 'Yes (data sold on dark web, private '
'deals)',
'number_of_records_exposed': '7,707 registered users, 340,333 '
'IP logs, 1,899 private '
'conversations (3,875 messages)',
'personally_identifiable_information': 'Yes (corporate '
'credentials, private '
'messages, user data)',
'sensitivity_of_data': 'High (corporate access, PII, '
'ransomware tools, private '
'negotiations)',
'type_of_data_compromised': ['Corporate network access '
'credentials',
'Private forum conversations',
'User registration data (emails, '
'IPs)',
'Stolen data from compromised '
'entities']},
'date_detected': '2021-11-01',
'date_publicly_disclosed': '2026-01-28',
'date_resolved': '2026-01-28',
'description': 'On January 28, 2026, the FBI, in coordination with the U.S. '
'Attorney’s Office for the Southern District of Florida, '
'seized RAMP (Russian Anonymous Marketplace), a '
'Russian-language cybercrime forum that operated from late '
'2021 until its shutdown. The platform served as a hub for '
'selling corporate network access, malware, '
'ransomware-as-a-service (RaaS) partnerships, and stolen data, '
'catering to a global audience of cybercriminals.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'affected entities',
'data_compromised': ['Corporate network access credentials',
'Stolen data from compromised entities',
'Private conversations and forum data'],
'identity_theft_risk': 'High risk due to compromised PII and '
'corporate data',
'operational_impact': 'Facilitated ransomware attacks and '
'corporate breaches globally',
'payment_information_risk': 'High risk due to compromised '
'financial and corporate data',
'systems_affected': ['Corporate networks (RDP, VPN, SSH, Citrix, '
'etc.)',
'Government systems',
'Financial institutions',
'Healthcare systems',
'Telecom systems']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (corporate access, '
'stolen data)',
'entry_point': ['RDP',
'VPN',
'SSH/Webshell',
'Domain Admin',
'Citrix'],
'high_value_targets': ['Government',
'Finance',
'Telecom',
'Energy',
'Healthcare']},
'investigation_status': 'Completed (forum seized)',
'lessons_learned': 'The seizure of RAMP disrupted a major cybercrime supply '
'chain, but leaked ransomware builders and tools continue '
'to fuel attacks. The shift toward VPN exploitation and '
'the democratization of ransomware through leaked tools '
'highlight evolving threats. Corporate network access '
'remains a critical precursor to ransomware attacks.',
'motivation': ['Financial gain', 'Data exfiltration', 'Ransomware deployment'],
'post_incident_analysis': {'corrective_actions': ['Seizure of RAMP forum',
'Disruption of cybercrime '
'supply chain',
'Ongoing law enforcement '
'investigations'],
'root_causes': ['Lack of VPN security (unpatched '
'vulnerabilities)',
'Use of cracked pentesting tools '
'(e.g., Cobalt Strike)',
'Insider threats (telecom/crypto '
'exchange employees)',
'Leaked ransomware builders (e.g., '
'LockBit 3.0)',
'Forum-based access sales enabling '
'ransomware attacks']},
'ransomware': {'data_encryption': 'Yes (via ransomware strains listed)',
'data_exfiltration': 'Yes (via ransomware operations)',
'ransomware_strain': ['AvosLocker',
'Conti',
'Luna',
'Nevada',
'Knight 3.0',
'NoEscape',
'Bl00dy',
'KUIPER',
'UBUD',
'PHOBOS',
'Zeppelin2',
'Wing 1.0',
'LockBit 3.0']},
'recommendations': ['Enhance VPN security with multi-factor authentication '
'and patch management',
'Monitor dark web forums for corporate access sales',
'Implement network segmentation to limit lateral movement',
'Deploy adaptive behavioral WAFs and enhanced monitoring',
'Conduct regular security audits for critical '
'infrastructure',
'Educate employees on insider threats and phishing risks'],
'references': [{'source': 'Comparitech'}, {'source': 'FBI Press Release'}],
'regulatory_compliance': {'legal_actions': 'Seizure by FBI and U.S. '
'Attorney’s Office'},
'response': {'containment_measures': 'Seizure of RAMP forum and associated '
'domains',
'law_enforcement_notified': 'FBI and U.S. Attorney’s Office for '
'the Southern District of Florida'},
'threat_actor': ['Russian cybercriminals',
'RAMP forum users',
'Ransomware affiliates',
'Access brokers'],
'title': 'FBI Seizes Russian Cybercrime Forum RAMP After Years of '
'Facilitating Ransomware and Corporate Breaches',
'type': 'Cybercrime Forum Seizure',
'vulnerability_exploited': ['Cisco VPN vulnerabilities',
'Fortinet VPN vulnerabilities',
'Citrix VPN vulnerabilities',
'Pulse Secure CVE-2019-11510',
'WinRAR RCE',
'SonicWall VPN RCE']}