Dark Web Forum: RAMP

RAMP (Russian Anonymous Marketplace) is one of the most active and strategically significant ransomware forums on the dark web. Originally launched to connect ransomware operators, affiliates, and brokers, RAMP has evolved into a core hub of the ransomware ecosystem, serving as a hub where threat actors collaborate, recruit, and trade.

More than just a communication board, RAMP operates as a ransomware marketplace where groups like DragonForce, Qilin, Medusa, GLOBAL Group, Eldorado, and LockBit maintain a constant presence. These actors actively seek skilled members, advertise new ransomware variants, and share operational intelligence, all aimed at expanding their influence and capabilities.

illustration of a female hacker working on a laptop in a neon-lit city.

Within the broader cyber threat ecosystem, RAMP stands out as a critical coordination point. Its discussions and listings often reveal early signs of emerging ransomware campaigns and evolving underground trends. Featured in our “Top 10 Dark Web Forums” analysis, RAMP remains a key focus for cybersecurity researchers worldwide, offering unparalleled insights into the tactics, recruitment, and dynamics of the ransomware underworld.

To see if your organization has been mentioned or exposed on platforms like RAMP, get your Free Dark Web Report from SOCRadar Labs. Instantly find out if your data appears on dark web forums, black markets, leak sites, or Telegram channels, and learn about potential credential leaks, infected devices, and data for sale to understand your organization’s dark web risk within seconds.

SOCRadar Labs Free Dark Web Report

What Is RAMP?

RAMP (Russian Anonymous Marketplace) is a Russian-speaking dark web forum established in July 2021 to facilitate ransomware operations and collaboration among threat actors. It serves as a central platform for the Ransomware-as-a-Service (RaaS) ecosystem, bringing together ransomware operators, affiliates, and initial access brokers to share intelligence, advertise services, and trade intrusion tools.

The forum was launched on the same domain previously used by the Babuk ransomware data leak site and its short-lived successor, Payload.bin. This continuity allowed RAMP to quickly gain visibility and credibility within the underground community. Early posts on RAMP included listings for Fortinet VPN exploits and hacking utilities used in real-world attacks, showing its strong technical orientation from the very beginning.

RAMP forum logo displayed over the DragonForce branding.

Although the current RAMP is primarily focused on ransomware and network access sales, the name itself is not new. The original RAMP, which operated between 2012 and 2017, was a Tor-based drug marketplace restricted to Russian users. That earlier version was eventually dismantled by Russian law enforcement. The modern RAMP, sometimes referred to as RAMP 2.0, shares only the name and linguistic roots with its predecessor; it is a completely different entity built around the cyber extortion economy.

Operating both on the clearnet and as a .onion service within the Tor network, RAMP ensures layered anonymity for its users and administrators. This dual infrastructure allows ransomware groups, affiliates, and brokers to coordinate campaigns, sell stolen data, and exchange tools under the protection of high operational security, solidifying its role as a core component of the global RaaS landscape.

How Does RAMP Operate?

RAMP combines the structure of a darknet market with the interactive nature of a forum. The platform relies on an escrow system to manage cryptocurrency transactions, reducing fraud risk between criminal parties. While most exchanges occur publicly within threads, sensitive negotiations often move to private, encrypted communication channels.

DragonForce dark web forum interface displaying categories like programming, market, and anonymity.

The forum supports English, Russian, and Chinese, attracting a multilingual and globally distributed user base. RAMP’s members ranging from access brokers and malware developers to ransomware affiliates and negotiators.

Membership Rules and Admission Criteria

RAMP enforces strict membership requirements to maintain operational security. When the forum was relaunched in August 2021, entry was limited to users who already held accounts on well-known Russian-language forums such as XSS or Exploit for at least two months, with a minimum of ten posts and a positive reputation score.

RAMP forum registration page showing account verification and membership requirements.

Applicants who did not meet these criteria could still gain access by paying a $500 registration fee—a price considered high compared to other rival forums. This high barrier was designed to filter out inexperienced users and discourage infiltration by researchers or law enforcement.

From a moderation standpoint, RAMP follows the traditional norms of Russian underground forums. Members are explicitly forbidden from:

• Targeting Russia or CIS countries in attacks,
• Operating multiple accounts,
• Spamming or posting irrelevant content, and
• Engaging in activity that violates the Russian Criminal Code within the forum.
  By maintaining these rules, RAMP positions itself as a “professional” underground space—exclusive, tightly controlled, and focused on cyber operations rather than general criminal trade.

Services and Content Categories

RAMP hosts a broad range of content related to cybercrime, primarily focused on ransomware operations. Key categories include:

Pinned threads on the RAMP forum featuring ransomware programs and access sales.

• Data leaks and victim disclosures – Listings of stolen data, ransomware victim announcements, and leak site updates.
• Ransomware announcements – Posts from major groups such as LockBit 2.0 advertising affiliate programs or new attack versions (e.g., ESXi-focused campaigns).
• Initial access sales – Offers to sell RDP or VPN access to corporate networks, often including target details such as region and annual revenue to determine price.
• Malware and exploit kits – Shared ransomware builders, exploit code, and penetration tools, including vulnerabilities in Fortinet VPN and Windows systems.
• Guides and operational resources – Tutorials, negotiation tips, and infrastructure coordination for ransomware operators and affiliates.

Inside RAMP’s Dark Economy: From Initial Access to Advanced Weaponization

RAMP distinguishes itself not just as a forum, but as a complete supply chain for cybercriminal operations. SOCRadar’s dark web analysis reveals a structured economy where threat actors can procure everything from the “entry ticket” to the “heavy weaponry” needed to dismantle corporate defenses.

The marketplace operates on two critical pillars: Initial Access Brokers (IABs) who open the doors, and Tool Developers who provide the means to stay inside.

Revenue-Based Access Pricing

On RAMP, access is not sold randomly; it is priced based on the target’s Annual Revenue and Privilege Level. This “ROI-driven” approach allows attackers to calculate their potential ransom profits before investing.

• Commodity Access: Standard RDP access to smaller firms or specific regions (e.g., Canada) typically trades for around $1,200 – $1,500.
• Corporate & Finance: Access to financial institutions with revenues exceeding $400 million commands higher prices, often starting at $5,000 for system-level privileges.
• High-Value Targets: The healthcare sector is particularly targeted due to its low tolerance for downtime. A Domain Admin access for a US-based healthcare organization can fetch upwards of $20,000.
• The Unicorn Listings: In rare cases, exclusive access to massive global conglomerates is listed for as much as $1,000,000, targeting only the most sophisticated APT groups or ransomware cartels.

The Weaponization Phase: EDR Killers and Zero-Days

Gaining access is only the first step. To maintain persistence and evade detection by modern SOC teams, attackers on RAMP invest heavily in advanced offensive tools.

• Evading Defense: As organizations adopt EDR/XDR solutions, attackers are countering with “EDR Killer” drivers. Using techniques like Bring Your Own Vulnerable Driver (BYOVD), these tools (selling for $3,000+) attempt to blind security sensors at the kernel level.
• Advanced Frameworks: Cracked versions of legitimate adversarial simulation tools, such as Cobalt Strike 4.11, are sold for $7,000, promising stealth features to bypass standard AV detections.
• Subscription Malware: The market has shifted to Malware-as-a-Service, with sophisticated RAT/Stealer suites (featuring HVNC for banking fraud) renting for $5,000 per month.
• Zero-Day Exploits: For high-stakes operations, actors actively seek and sell 0-day exploits for enterprise VPNs (e.g., Palo Alto, Citrix, Fortinet), sometimes demanding budgets in the tens of thousands of dollars or Bitcoin equivalents.

Strategic Importance for Cybersecurity

Monitoring RAMP provides critical insights into the ransomware ecosystem.
The forum serves as an early indicator for emerging threats, compromised infrastructures, and affiliate recruitment trends.
Key intelligence benefits include:

• Early detection of network access listings that may involve targeted organizations.
• Identification of new ransomware variants and associated attack tools.
• Visibility into industry and geographic targeting trends.
• Mapping relationships between ransomware groups and affiliates.
• Enhanced situational awareness for proactive threat hunting.

How SOCRadar Can Help Against Platforms Like RAMP

SOCRadar enables organizations to stay protected from threats emerging on dark web forums such as RAMP through Advanced Dark Web Monitoring and continuous visibility into underground ecosystems. Its unified platform allows security teams to detect, track, and respond to dark web activity before it escalates into a cyber incident.

SOCRadar Dark Web Monitoring

With the following modules, SOCRadar provides comprehensive protection:

• External Attack Surface Management (EASM): Identifies exposed assets, misconfigurations, and vulnerabilities that could be exploited by threat actors.
• Digital Risk Protection (DRP): Detects data leaks, brand impersonations, and mentions of your organization across dark web forums, black markets, and Telegram channels.
• Advanced Dark Web Monitoring: Monitors ransomware operations, access sales, and threat actor interactions on underground platforms like RAMP, providing early warning and actionable intelligence.

By combining these capabilities, SOCRadar helps organizations proactively uncover dark web threats, gain deeper insights into attacker behavior, and take preventive measures to reduce exposure.