From Rise to Fall, RAMP: The End of the Largest Ransomware Forum in History.
What was once a safe harbor for ransomware groups has become a trap. After being seized by the FBI, the RAMP forum data is now in the hands of intelligence firms seeking to unmask criminals.
By Murilo Hoffmann from VerXus Team
Cybercrime suffered a double blow in recent weeks. First, on January 28, 2026, the domain ramp4u.io and its Tor network addresses were officially seized by the FBI. Now, the security and intelligence firm PRODAFT has revealed it possesses the platform's database, launching a direct campaign to recruit informants among former members.
The Rise of a Ransomware Haven
RAMP (Russian Anonymous Marketplace) emerged in July 2021, at a moment of crisis for cybercriminals. After the REvil gang's attack on the Colonial Pipeline, major forums like XSS and Exploit banned ransomware discussions to avoid government attention.
It was in this vacuum that RAMP was born, presenting itself as the "only place where ransomware is allowed". Initially operated by figures linked to the defunct Babuk group, such as the threat actor known as "Wazawaka", the forum became the main hub for:
-
Affiliate recruitment: Groups like LockBit, ALPHV, and other Ransomware-as-a-Service (RaaS) operations used the space to find new members.
-
Access sales: Initial Access Brokers (IABs) auctioned entry points into corporate networks for ransomware operations.
-
Data leaks: The forum was frequently used to list victim companies that refused to pay ransoms.
-
Trust escrow: The site ensured that transactions worth thousands of dollars in crypto assets were fulfilled between criminals through a rigorous negotiation system.
RAMP's "D-Day": International Operation
On January 28, 2026, anyone trying to access the domain ramp4u.io was met with an image that is every cybercriminal's nightmare: the official seizure banner coordinated by the FBI, in partnership with the NCA (United Kingdom), the Gendarmerie (France), and other European agencies.
The takedown was not merely technical but also psychological. The authorities used an image of the Russian character Masha (from Masha and the Bear) winking — a direct provocation to the forum's Russian administrators, signaling that their "impenetrable" infrastructure had been compromised.
PRODAFT and the SYS Initiative: "There Is Still Some Good Left in You"
The FBI's domain seizure was only half the problem for the criminals. PRODAFT, a Swiss Threat Intelligence firm, revealed that through its SYS initiative, it managed to process the forum's database to map the TTPs (Tactics, Techniques, and Procedures) and connections between actors who frequently used the forum.
The company took the bold step of sending emails directly to addresses registered on RAMP, with the following message:
Dear ex-RAMP member,
You are receiving this email because we believe there is still some good left in many members of this forum, and now is the moment to choose a better path for yourself.
As you may be aware, PRODAFT has begun processing the RAMP forum database to better understand criminal actors, their TTPs, and their connections. This effort is part of our SYS initiative, which has already produced successful results in past operations.
We have publicly posted the RAMP update on our X account. We are not including links in this email to avoid unnecessary attention, but make sure you follow/like as usual.
You can assist us by helping with the de-anonymization of some of the most active cybercriminals and ransomware operators. Others have already chosen to support us by providing information that has proven both actionable and timely. If you maintain accounts on other forums, you may also reach out to us, as we are actively interested in those as well.
We maintain a TOX chat to securely receive tips in any language: D0E5B14B166D8440E3F54CDFC0F38E5080645F728F02AADFB7B978F9D579EE5A6D38A29DD307
You can also send an e-mail to: tips@prodaft.com
You are smart enough to do the right thing.
Regards, PRODAFT
The tone of the message is almost paternal, but it carries an implicit threat: that anonymity is over. The company claims to believe that "there is still some good left in many members" and offers secure channels, such as a TOX identifier, for those willing to collaborate with information about the "big fish" in the ransomware scene. The message also references a post on X, formerly Twitter, where they reinforce their access to the forum's information. Below is a translated image of the publication.
What Does This Change in the Security Landscape?
The fall of RAMP and the subsequent data analysis by intelligence firms like PRODAFT mark a turning point. If criminals once felt safe behind .onion domains, "BulletProof" providers, and strict admission rules, they now face a pincer movement between law enforcement and private intelligence.