• Home
  • cyber
  • DragonForce and RAMP: Ransomware crims forced to take off-RAMP as FBI seizes forum
cyber Cyber Attack

DragonForce and RAMP: Ransomware crims forced to take off-RAMP as FBI seizes forum

Jan 28, 2026 2 min read
DragonForce and RAMP: Ransomware crims forced to take off-RAMP as FBI seizes forum

FBI Seizes RAMP, a Key Hub for Ransomware and Cybercrime Operations

US law enforcement has dismantled RAMP (Russian Anonymous Marketplace), a prominent dark web and clearnet forum used by ransomware-as-a-service (RaaS) gangs, extortionists, and initial access brokers. The FBI, in coordination with the US Attorney’s Office for the Southern District of Florida and the DOJ’s Computer Crime and Intellectual Property Section, seized the forum’s domains, replacing them with a seizure notice and a mocking banner: "The Only Place Ransomware Allowed!" complete with an image of Masha, a character from a Russian children’s cartoon.

DNS records confirm the takedown, and an alleged operator, "Stallman", acknowledged the seizure in a post on the XSS hacking forum. While expressing frustration over the loss of years of work, Stallman stated that his core business selling compromised network access remains intact, though he ruled out rebuilding the forum.

Despite the disruption, experts warn that cybercriminals will likely migrate to other underground platforms, such as Rehub, where groups like Nova and DragonForce are reportedly relocating. Tammy Harper, a senior threat intelligence researcher at Flare, noted that while takedowns don’t eliminate the ecosystem, they create temporary chaos exposing threat actors to risks like reputation loss, escrow failures, and infiltration during the transition.

The seizure also presents an opportunity for defenders to gather intelligence on affiliate networks, financial ties, and operational security weaknesses before criminals regroup. However, as with past takedowns, the cybercrime underground is expected to adapt quickly.

Source: https://www.theregister.com/2026/01/28/fbi_seizes_ramp_forum/

Ramp Network cybersecurity rating report: https://www.rankiteo.com/company/rampnetwork

Drakontas LLC cybersecurity rating report: https://www.rankiteo.com/company/drakontas-llc

"id": "RAMDRA1769640190",
"linkid": "rampnetwork, drakontas-llc",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "75",
"impact": "2",
"explanation": "Attack limited on finance or reputation"
{'affected_entities': [{'customers_affected': 'Ransomware gangs, '
                                              'extortionists, initial access '
                                              'brokers',
                        'industry': 'Cybercrime',
                        'location': 'Russia',
                        'name': 'RAMP (Russian Anonymous Marketplace)',
                        'type': 'Dark web/clearnet forum'}],
 'description': 'US law enforcement has dismantled RAMP (Russian Anonymous '
                'Marketplace), a prominent dark web and clearnet forum used by '
                'ransomware-as-a-service (RaaS) gangs, extortionists, and '
                'initial access brokers. The FBI seized the forum’s domains, '
                'replacing them with a seizure notice.',
 'impact': {'operational_impact': 'Disruption of cybercriminal operations and '
                                  'forums',
            'systems_affected': ['RAMP forum domains']},
 'initial_access_broker': {'data_sold_on_dark_web': 'Compromised network '
                                                    'access (core business of '
                                                    'Stallman)'},
 'investigation_status': 'Ongoing (intelligence gathering)',
 'lessons_learned': 'Takedowns create temporary chaos in cybercriminal '
                    'ecosystems, exposing threat actors to risks like '
                    'reputation loss and infiltration. Defenders can gather '
                    'intelligence during transitions.',
 'motivation': ['Financial gain', 'Cybercrime facilitation'],
 'post_incident_analysis': {'corrective_actions': 'Law enforcement takedowns '
                                                  'to disrupt cybercrime '
                                                  'ecosystems',
                            'root_causes': 'Cybercriminal reliance on '
                                           'centralized forums for operations'},
 'recommendations': 'Monitor alternative underground platforms (e.g., Rehub) '
                    'for cybercriminal migration and adapt defensive '
                    'strategies accordingly.',
 'references': [{'source': 'FBI/DOJ seizure notice'},
                {'source': 'XSS hacking forum post by Stallman'},
                {'source': 'Flare (Tammy Harper, Senior Threat Intelligence '
                           'Researcher)'}],
 'regulatory_compliance': {'legal_actions': 'Domain seizure and takedown'},
 'response': {'communication_strategy': 'Seizure notice and mocking banner '
                                        'displayed on seized domains',
              'containment_measures': 'Domain seizure',
              'law_enforcement_notified': 'Yes (FBI, US Attorney’s Office for '
                                          'the Southern District of Florida, '
                                          'DOJ’s Computer Crime and '
                                          'Intellectual Property Section)'},
 'threat_actor': ['RAMP (Russian Anonymous Marketplace)',
                  'RaaS gangs',
                  'Extortionists',
                  'Initial access brokers'],
 'title': 'FBI Seizes RAMP, a Key Hub for Ransomware and Cybercrime Operations',
 'type': 'Takedown'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.