FBI Seizes RAMP Cybercrime Forum, Shutting Down a Key Ransomware Hub

The FBI has dealt a major blow to the cybercrime world by seizing RAMP, a notorious forum used to promote ransomware and other hacking services. RAMP, one of the last remaining platforms where ransomware operations could be openly advertised, now displays a seizure notice on both its Tor and clearnet domains, stating, “The Federal Bureau of Investigation has seized RAMP.” This action was coordinated with the U.S. Attorney’s Office for the Southern District of Florida and the Department of Justice’s Computer Crime and Intellectual Property Section.

The seizure banner mockingly features RAMP’s own slogan, “THE ONLY PLACE RANSOMWARE ALLOWED!,” along with a winking image of Masha from the Russian cartoon Masha and the Bear. With domain name servers now redirected to ns1.fbi.seized.gov and ns2.fbi.seized.gov, law enforcement likely has access to a trove of sensitive data, including email addresses, IP addresses, private messages, and other potentially incriminating information. For careless cybercriminals, this could lead to arrests.

One of the forum’s alleged former operators, known as “Stallman,” confirmed the seizure in a post on the XSS hacking forum, expressing regret and acknowledging the risk all operators take. BleepingComputer reached out to the FBI for comment but has yet to receive an official statement.

RAMP was launched in July 2021, following a ban on ransomware promotion by Russian-speaking Exploit and XSS forums after the DarkSide ransomware attack on Colonial Pipeline. Created by the threat actor known as Orange (aliases: Wazawaka, BorisElcin), RAMP became a hub for ransomware gangs to advertise operations, recruit affiliates, and trade network access. Orange had previously operated Babuk, a ransomware group that collapsed after leaking stolen law enforcement data, which led to internal disputes and eventually to the creation of RAMP on a Tor domain formerly used by Babuk.

From the start, RAMP faced challenges. Distributed denial-of-service (DDoS) attacks disrupted its availability, which Orange attributed to former Babuk partners. These claims were denied, though the attacks persisted. The individual behind Orange, identified as Russian national Mikhail Matveev, confirmed his role in creating RAMP and stated the forum generated no profit, eventually stepping away due to persistent DDoS attacks and operational difficulties.

In 2023, Matveev was indicted by the U.S. Department of Justice for involvement in multiple ransomware operations, including Babuk, LockBit, and Hive, which targeted critical U.S. infrastructure such as healthcare and law enforcement agencies. He was also sanctioned by the U.S. Treasury, placed on the FBI’s most-wanted list, and has a $10 million U.S. State Department reward for information leading to his arrest or conviction.

What Undercode Say:

The seizure of RAMP marks a pivotal moment in the fight against ransomware. While many ransomware forums have been disrupted over the past few years, RAMP’s closure is significant because it served as one of the few remaining hubs where operators could openly advertise attacks. This means law enforcement now has access to potentially years’ worth of user data, messages, and operational intelligence that could lead to multiple high-profile arrests.

For cybercriminals, this is a stark reminder of the importance of operational security (opsec). Many users of RAMP likely underestimated the reach of U.S. authorities, exposing themselves through reused email addresses, weak VPN practices, or traceable communications. The seizure could trigger a chain reaction, where affiliates and operators of ransomware groups are forced to reevaluate their networks, potentially fracturing the ecosystem.

The arrest of Matveev underscores the international dimension of ransomware enforcement. U.S. authorities have increasingly leveraged both indictments and public sanctions to pressure foreign actors. His inclusion on the FBI’s most-wanted list and the $10 million reward highlight the strategic approach to deterring ransomware activity by making it both legally and financially perilous.

From a cybersecurity industry perspective, RAMP’s demise may temporarily disrupt ransomware campaigns, but history shows that criminal actors adapt quickly. New forums, encrypted chat platforms, and private networks often emerge to replace disrupted hubs. However, the operational lessons from RAMP — including the risk of internal disputes, DDoS attacks, and law enforcement infiltration — could shape how future ransomware platforms operate.

The seizure also emphasizes the role of intelligence gathering in cybercrime prevention. Access to RAMP’s data allows authorities to map relationships between operators, affiliates, and buyers, potentially dismantling entire networks rather than targeting single actors. This strategic, intelligence-driven approach could be more effective in the long-term fight against ransomware than reactive measures alone.

The public announcement, combined with the humorous seizure banner, sends a clear message: law enforcement is capable, persistent, and willing to take bold steps to disrupt cybercrime. The psychological impact on cybercriminals, alongside the legal consequences, may induce caution or force underground groups to adopt more secretive practices, possibly slowing their operations.

Finally, RAMP’s seizure reflects a broader trend: ransomware is no longer just a financial crime but a national security threat. Governments worldwide are now collaborating to track and prosecute operators, seize assets, and warn organizations about the operational risks of engaging with ransomware marketplaces. For the cybersecurity community, this is both a warning and an opportunity to strengthen defenses against an evolving threat landscape.

Fact Checker Results:

✅ The FBI has seized the RAMP forum and redirected its domains to official seizure servers.
✅ Mikhail Matveev, operating as Orange/Wazawaka, was indicted for multiple ransomware operations.
✅ RAMP was launched in 2021 as one of the last forums openly promoting ransomware.

Prediction:

💥 With RAMP offline, ransomware groups will likely migrate to smaller, encrypted channels, making attacks more decentralized but harder to monitor.
📉 Authorities may use seized data to dismantle affiliate networks, leading to arrests and potential disruption of ongoing attacks.
🔒 Organizations should anticipate a temporary drop in ransomware advertisements but maintain vigilance, as new platforms will inevitably emerge.