SOCRadar® Cyber Intelligence Inc. | Under the Spotlight: RAMP Forum 


Jul 07, 2022
4 Mins Read

Under the Spotlight: RAMP Forum 

In July 2021, a new Russian-speaking forum called RAMP, Russian Anonymous Market Place, which attracts a lot of interest from researchers and cybercriminals, was formed. The forum was launched on the same domain previously held, the Babuk ransomware data leak site and then the Payload.bin data leak site. 

What is RAMP Forum? 

RAMP Forum is a Russian cybercriminal membership forum previously known as Payload.bin, as indicated above. This forum also sold FortiNet VPN and shared hacking tools used in the infiltration operation. It is not a new place.

Years ago, RAMP was an internet website available over the Tor network that allowed users to buy or advertise all types of illegal things, including drugs. The site, which was launched in 2012 and is exclusively available in Russia, had a reputation for being the best place to buy drugs that could be delivered within Russia’s borders.

This version of it was used as a forum besides the marketplace side. However, in 2017 Russian police announced that they had taken down this forum, and then it disappeared.

After a few years, in 2021, a new forum with the name RAMP 2.0 emerged on the Dark Web, which seemed almost the same as the older portal. Therefore, it brought the question, “Is this the recent version of the previous one.” 

With the reemerged version, new users are also started to be seen. One of the most taking attention is Chinese speakers. RAMP is back up and teeming with what could be Chinese activity after its administrator opened it up to Mandarin and English-speaking threat actors. In this version of it, the languages on the site are composed mainly of English, Russian, and Chinese. 

What is the Relationship Between RAMP forum and RaaS? 

Ransomware as a service (RaaS) is a subscription-based model that allows affiliates to perform ransomware attacks using pre-developed ransomware tools. Each completed ransom payment provides fellows with a commission. 

It is an essential point for the RAMP forum because, after the attack on the colonial pipeline in the US in 2021, most forums prohibited ransomware groups from sharing that information. This situation created an advantage for the RAMP forum because, contrary to the others, RAMP created a special place under the “partners program” for those groups to carry out their activities, such as finding new hackers or selling initial accesses. This can be one of the most significant differences between RAMP and the others. 

What are the Registration Criteria? 

To be able to register on this forum, there are some criteria that you need to fulfill. After the approval, you can be included in the forum. Those are: 

  • Registration for xss and exploit forums at least two months 

  • At least ten posts on one of these forums 
  • Good reputation 

Besides these, for those who do not want to reveal their profiles and stay anonymous, registration can be completed in exchange for 500 dollars. 


To conclude, the reemerged RAMP forum not only operates as a forum but also as a market that includes sales of different information like accesses. Since it also serves as a RaaS, it creates opportunities for cyber threats.


With SOCRadar® Free Edition, you’ll be able to:

  • Prevent Ransomware attacks with Free External Attack Surface Management
  • Get Instant alerts for fraudulent domains against phishing and BEC attacks
  • Monitor Deep Web and Dark Net for threat trends
  • Get vulnerability intelligence when a critical zero-day is disclosed
  • Get IOC search & APT tracking & threat hunting in one place
  • Get notified with data breach detection

Free for 12 months for one corporate domain and 100 auto-discovered digital assets.
Get Free Access.