Is the RAMP Dark Web Forum Shut Down?
[Update] February 27, 2026: “RAMP Members Exposed Through Independent OSINT Research”
RAMP (Russian Anonymous Marketplace) has been taken offline following a law enforcement seizure. The shutdown was publicly confirmed by the forum’s administrator, known as Stallman, marking a significant disruption within the global ransomware ecosystem.

Seizure banner indicating that the RAMP forum was taken down by the FBI and the U.S. Department of Justice.
RAMP’s closure is not just the takedown of a single forum. It represents the removal of a core coordination layer used by ransomware operators, affiliates, and access brokers to recruit partners, advertise ransomware programs, and trade initial network access.
What Happened to RAMP?
The seizure became public after visitors to ramp4u[.]io were met with a banner stating that the site had been seized by authorities. The notice indicates coordinated action involving the Federal Bureau of Investigation and the U.S. Department of Justice, alongside the U.S. Attorney’s Office for the Southern District of Florida.

Forum shutdown announcement posted by RAMP administrator Stallman following law enforcement seizure.
Shortly after the seizure notice appeared, RAMP administrator Stallman published a statement on the forum confirming that law enforcement had taken control of the platform. In his message, he acknowledged the end of RAMP operations and stated that he would not attempt to rebuild the forum from scratch, effectively signaling a permanent shutdown.
Why Was RAMP So Important to Ransomware Operations?
RAMP functioned as more than a discussion board. It was a central marketplace for ransomware activity, where:
- Ransomware groups promoted affiliate programs
- Initial Access Brokers sold RDP, VPN, and domain-level access
- Operators shared tools, exploits, and operational guidance
- Victim disclosures and leak site announcements surfaced early
Major ransomware groups and emerging actors alike relied on RAMP to validate reputation, recruit talent, and monetize access. In many cases, early indicators of new ransomware campaigns first appeared on RAMP before attacks materialized in the wild.
Its strict membership rules and high entry barrier helped establish trust among threat actors, making it one of the most strategically valuable forums in the ransomware supply chain.
Which Ransomware Groups Were Active on RAMP?
Before its seizure, RAMP hosted a wide range of high-impact ransomware and extortion groups, making it one of the most operationally dense forums in the ransomware ecosystem. Actors active on the platform included both established operations and emerging brands seeking affiliates and access.
Groups observed maintaining an active presence on RAMP included: LockBit, DragonForceRansomware, Qilin Ransomware, Medusa Ransomware, Eldorado Ransomware, GLOBAL Ransomware
In addition to ransomware operators, Initial Access Brokers (IABs) were highly active on RAMP, offering RDP, VPN, and domain-level access to corporate networks. These listings often included revenue estimates, sector information, and geographic targeting, enabling ransomware groups to calculate potential return before launching attacks.
The concentration of both operators and access sellers is what made RAMP uniquely valuable. Its closure disrupts not just communication, but the entire ransomware supply chain—from initial intrusion to extortion and monetization.
What Does RAMP’s Closure Change?
The takedown creates short-term disruption, but not elimination, of ransomware activity.
Historically, when forums like RAMP go offline, several patterns tend to follow:
- Fragmentation of actors across smaller or invite-only platforms
- Migration to alternative forums such as Exploit or XSS
- Increased use of Telegram channels for coordination and recruitment
- Temporary slowdown in affiliate recruitment and access sales
In the near term, ransomware operators lose a shared “marketplace” layer. Over time, however, activity is likely to re-emerge elsewhere, often in more distributed and less visible forms.
Why Does This Matters for Defenders?
RAMP’s seizure provides a rare visibility window into ransomware infrastructure disruption. When a forum of this scale disappears, threat actors are forced to re-establish trust, infrastructure, and communication channels—creating detectable signals across underground ecosystems.
Tracking these transitions is critical. Shifts in forum usage, sudden spikes in new Telegram channels, and changes in affiliate recruitment behavior often precede the next wave of ransomware activity.
Update: RAMP Members Exposed Through Independent OSINT Research
An independent cybersecurity researcher, Dancho Danchev, published an analysis of the RAMP, claiming to have deanonymized a significant number of its registered members using a custom-built parser and monitoring dashboard.
Danchev’s tool extracted personally identifiable information tied to RAMP user accounts, including IP addresses correlated to usernames, posts, threads, direct messages, and forum activity such as logins, registrations, and email confirmations. The exposed data covers a geographically diverse user base spanning Asia, Africa, and Eastern Europe, with some users appearing across multiple session types and events.
Despite RAMP’s reputation as a high-barrier, high-trust environment enforced through a $500 registration fee and mandatory reputation vetting on XSS and Exploit.in, the research suggests the forum’s underlying data handling left member activity recoverable through external analysis.
How SOCRadar Tracks Post-RAMP Ransomware Activity?
SOCRadar continuously monitors dark web forums, ransomware leak sites, and underground communication channels to detect changes triggered by events like the RAMP shutdown.

SOCRadar Dark Web Monitoring
Through its Dark Web Monitoring and Threat Actor Intelligence capabilities, SOCRadar helps security teams:
- Track displaced ransomware actors after forum takedowns
- Monitor new access sale listings and affiliate recruitment attempts
- Detect early victim disclosures on emerging leak sites
- Correlate forum identities with known ransomware ecosystems
As ransomware actors adapt to RAMP’s closure, maintaining continuous visibility across the dark web remains essential for early warning and proactive defense.
