FBI takes notorious RAMP ransomware forum offline

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
987
5,150
2,168
Germany
Content source
https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-takes-notorious-ramp-ransomware-forum-offline
The FBI has seized control of RAMP, a notorious cybercrime online forum that bragged to be "the only place ransomware allowed."

Both the forum's presence on the dark web and on its regular website domain now display a notice from the FBI announced that it has been taken over by the law enforcement agency.

According to the message posted on the seized websites, it was seized by the FBI in collaboration with the US Attorney’s Office for the Southern District of Florida and the US Justice Department’s Computer Crime and Intellectual Property Section (CCIPS).
Click to expand...
Read more here:
www.bitdefender.com

FBI takes notorious RAMP ransomware forum offline

The FBI has seized control of RAMP, a notorious cybercrime online forum that bragged to be "the only place ransomware allowed.
www.bitdefender.com www.bitdefender.com
 
  • Like
  • Applause
  • Wow
Reactions: Zero Knowledge, Halp2001, SeriousHoax and 4 others
Brownie2019 said:
Read more here:
www.bitdefender.com

FBI takes notorious RAMP ransomware forum offline

The FBI has seized control of RAMP, a notorious cybercrime online forum that bragged to be "the only place ransomware allowed.
www.bitdefender.com www.bitdefender.com
Click to expand...
This looks like a “domain/forum seizure” where law enforcement has taken control of both the clearnet domain and the Tor presence and replaced them with an FBI seizure banner, which is a common pattern in prior takedowns. ([bitdefender.com](https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-takes-notorious-ramp-ransomware-forum-offline))

What’s confirmed vs. what’s not (as of Jan 31 / Feb 1, 2026)
  • Bitdefender’s write-up (dated January 31, 2026) says the RAMP sites display an FBI takeover notice, and that the DNS nameservers point to ns1.fbi.seized.gov / ns2.fbi.seized.gov, which is consistent with an FBI-controlled seizure page. ([bitdefender.com](https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-takes-notorious-ramp-ransomware-forum-offline))
  • Multiple outlets report there was no detailed public FBI statement at the time of reporting (i.e., the banner exists, but a full press release/case details may come later). ([techradar.com](https://www.techradar.com/pro/security/fbi-seizes-ramp-cybercrime-forum-used-by-ransomware-gangs?utm_source=openai))

Why this matters (practically)
  • Disruption: RAMP appears to have functioned as a marketplace/coordination hub (affiliate recruiting, access brokering, data/tools trading). Taking it offline disrupts operations and forces threat actors to relocate and re-validate who they trust. ([bitdefender.com](https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-takes-notorious-ramp-ransomware-forum-offline))
  • Potential exposure: If investigators obtained backend data (user records, messages, logs), that can enable follow-on investigations/arrests. However, the public can’t safely assume what was or wasn’t collected until official case details are released. ([bitdefender.com](https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-takes-notorious-ramp-ransomware-forum-offline))

Safety note for readers
Even if a seized domain is now an FBI splash page, it’s still smart to avoid interacting with it (don’t try to “log in,” don’t reuse credentials, don’t treat it as a safe curiosity-click). In general, assume anything you submit to a seized service could be logged as part of an investigation, and there’s no benefit for defenders to poke at it directly. ([techradar.com](https://www.techradar.com/pro/security/fbi-seizes-ramp-cybercrime-forum-used-by-ransomware-gangs?utm_source=openai))

Defender takeaway
This doesn’t “end ransomware,” but it’s meaningful pressure on the ecosystem. The best practical response remains the basics that reduce ransomware impact regardless of which forum replaces RAMP: strong MFA (ideally phishing-resistant where possible), least privilege, patching internet-facing systems, and offline/immutable backups with restore testing.

Sources
 
  • HaHa
Reactions: Sorrento
Technical Analysis & Remediation

MITRE ATT&CK/D3FEND Mapping

Target
RAMP Infrastructure (Web/Tor).

Effect
D3-DN (Deny/Disrupt Network).

Adversary Reaction
Expect T1583.003 (Acquire Infrastructure: Virtual Private Server) as threat actors displace to alternative forums.

Live Evidence Extraction

Seizure Indicator (DNS)
The domain nameservers have been re-routed to FBI-controlled sinkholes:

ns1.fbi.seized.gov

ns2.fbi.seized.gov

Visual Marker
Specific imagery of "winking Masha" from the cartoon "Masha and the Bear" embedded in the seizure page.

Associated Actors
Mikhail Matveev (aka "Wazawaka", "Orange"), previously arrested in 2024, was a key figure behind the forum. Current operator "Stallman" has publicly acknowledged the destruction of the forum.

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment:

Monitor Traffic
Update SIEM/SOAR to flag any internal traffic attempting to resolve RAMP domains or connecting to the new FBI sinkhole IPs (fbi.seized.gov subdomains). This may indicate compromised insider threats attempting to reach their command channels or curious employees.

Blast Radius
Do not interact with the seized infrastructure. Law enforcement likely employs "waterholing" techniques to log IP addresses and browser fingerprints of visitors.

Phase 2: Eradication:

Threat Intel Update
Ingest new IOCs related to displaced RAMP affiliates (e.g., RansomHub, DragonForce) who will seek new venues for "Initial Access Broker" listings.

Phase 3: Recovery

Validation
Verify that corporate web filters block access to known criminal forums to prevent "shadow IT" interactions.

Phase 4: Lessons Learned

Intelligence Feed
Takedowns often lead to a "splintering" effect. Expect a short-term spike in phishing as affiliates lose their primary communication hub and become desperate for access.

Remediation - THE HOME USER TRACK

Priority 1: Safety (Do Not Touch)

Avoid Curiosity
Do not attempt to visit the seized website to "see the banner." Law enforcement monitors these pages, and your IP address will be logged.

Priority 2: Awareness

Scams
Be wary of fake "RAMP Admin" messages or emails claiming the site has moved to a new address; these are likely honeypots or phishing scams.

Priority 3: Persistence

Data Exposure
If you (hypothetically) had data on this forum, assume it is now in FBI custody. This includes user logs, private messages, and email addresses.

Hardening & References

Baseline
CIS Control 7.1 (Continuous Vulnerability Management) - Patching internet-facing systems is critical as displaced brokers seek easy targets.

Tactical
NIST SP 800-61r2 (Incident Handling) - Treat any traffic to seized domains as a potential indicator of compromise (IoC).

References

Bitdefender (Main Source)

TechRadar

Flare
Click to expand...
 
  • Like
Reactions: Zero Knowledge, Brownie2019, Halp2001 and 1 other person
An interesting move by the FBI 🕵️. This doesn’t end ransomware, but it does force groups to fragment and look for new hideouts. In the end, what really matters is staying alert and not letting your guard down—everyday prevention weighs more than any forum that gets taken offline 👀.
 
  • Like
Reactions: Sorrento, Zero Knowledge and Brownie2019
bazang said:
Just because the U.S. Government states that "FBI did this or that" does not mean that the "FBI did or did not do it."

The U.S. Government, like any other government, utilizes mis- and dis-information for a range of reasons.

@Divergent
Click to expand...
Information is power📡, and whoever controls the narrative plays with half‑truths as if they were knights on a chessboard♞. The curious part is that it’s never “black or white,” but rather how the shadows are dosed to shape collective perception🪞. That’s why, beyond the storyline, what truly protects us is keeping our guard up in daily practice🔐.
 
  • Like
Reactions: Sorrento
Halp2001 said:
Information is power📡, and whoever controls the narrative plays with half‑truths as if they were knights on a chessboard♞. The curious part is that it’s never “black or white,” but rather how the shadows are dosed to shape collective perception🪞. That’s why, beyond the storyline, what truly protects us is keeping our guard up in daily practice🔐.
Click to expand...
“If we've been telling lies, you've been telling half‑lies. A man who tells lies, like me, merely hides the truth. But a man who tells half‑lies has forgotten where he put it.”

-- Dr. Dryden
 
  • Sad
  • Like
  • Hundred Points
Reactions: Sorrento, Zero Knowledge and Halp2001
bazang said:
Just because the U.S. Government states that "FBI did this or that" does not mean that the "FBI did or did not do it."

The U.S. Government, like any other government, utilizes mis- and dis-information for a range of reasons.

@Divergent
Click to expand...
Your skepticism is noted and compliant with standard Cyber Threat Intelligence (CTI) practices. Governments conduct Information Operations (InfoOps), and criminals conduct "Exit Scams" (faking seizures to steal funds). However, in the case of the RAMP takedown, the immutable technical evidence, specifically the DNS transfer to US government-controlled infrastructure, confirms this was a state-level disruption, not a fabrication.
 
  • Like
Reactions: ForgottenSeer 114717 and Halp2001
Divergent said:
Your skepticism is noted and compliant with standard Cyber Threat Intelligence (CTI) practices. Governments conduct Information Operations (InfoOps), and criminals conduct "Exit Scams" (faking seizures to steal funds). However, in the case of the RAMP takedown, the immutable technical evidence, specifically the DNS transfer to US government-controlled infrastructure, confirms this was a state-level disruption, not a fabrication.
Click to expand...
There is no doubt that U.S. Government assets performed the disruption. However, these efforts are rarely performed completely and independently by a single executive agency within the U.S. Government. Typically, it is a cross-agency and cross-team effort, with some agencies and components within the government not known to the U.S. Government itself, let alone the global public.

There's lots and lots of agencies, components, programs, units, and other organizations within governments that have acronyms that few people know about.

"FBI" is a brand name moniker and face of U.S. federal law enforcement. Most likely, the actual work was done inter-agency to include Other Government Agencies (OGA).
 
  • Like
Reactions: Halp2001 and Sorrento
You forgot defense contractors which have a huge role in US cyber operations developing exploits and exploits.

They obviously have working TOR hidden service exploits or there is a severe vulnerability in them. They have no trouble taking .onions servers down.
 
  • Like
Reactions: Halp2001 and Sorrento
Zero Knowledge said:
You forgot defense contractors which have a huge role in US cyber operations developing exploits and exploits.

They obviously have working TOR hidden service exploits or there is a severe vulnerability in them. They have no trouble taking .onions servers down.
Click to expand...
Software Engineering Institute (SEI) under contract with the DoD, GCHQ, NSA, MIT (Millî İstihbarat Teşkilatı), Israel Security Forces, etc.
 
  • Love
  • Wow
  • Like
Reactions: Zero Knowledge, Halp2001 and Sorrento
You must log in or register to reply here.

You may also like...