Russian-Speaking Forum ‘RAMP’ Fostering New RaaS Launches and Affiliates

Written by Bill Toulas
Published on July 28, 2021

The dark web is an ever-evolving space with domains changing hands, platforms shutting down, actors disappearing, and new places emerging as the next big thing. Researchers at KELA, the cyber-intelligence expert who focuses on the identification of novel threats that originate from the darkest places of the web, have spotted a new forum named 'RAMP.' This is a place set up to allow ransomware affiliates to find "ethical" RaaS programs to join and vendors to reach out to interested actors.

According to the report that KELA shared with TechNadu prior to its publication, the admin of the RAMP forum, who currently uses the nickname "Orange," announced it as a haven for the chased community that had no place to go after the REvil and DarkSide bans that took place on other notorious forums ('Exploit' and 'XSS'). The site itself is hosted on a domain previously used by Babuk, but since the actor has previously claimed to have sold various things to other hackers, it is impossible to tell if he's currently actively involved in this new endeavor.

Source: KELA

In terms of what can be found on RAMP, that would include mostly RaaS program promotions and affiliate posts looking for collaboration opportunities, selling initial access to compromised networks, etc. The rules mandate that anything relevant to attacking Russian firms or entities from CIS countries is prohibited. Spamming and using multiple accounts will also get you banned in RAMP.

RAMP rules, Source: KELA

One notable case was a post by a LockBit admin who promised to launch the LockBit 2.0 ransomware version soon, almost a full month back. Bleeping Computer now reports that the first samples of the advanced ransomware strain have been captured in the wild and are being analyzed by malware researchers. This announcement first came on RAMP, validating the forum and its role in the cybercrime space.

LockBit 2.0 announcement on RAMP, Source: KELA

During the first ten days of its operation, RAMP counted 350 registered users and over 100 posts. This steep rise came to an abrupt end when the site fell victim to a spamming attack that unfolded last week, with the hackers demanding the payment of a $5,000 ransom to stop the assault. The admin refused to comply with the demands, and the forum was soon flooded with porn GIFs as a result.

"Orange" offers $2,000 to anyone able to help clean up the forum, Source: KELA.

This led to the decision to purge everything (including most of the registered users), restrict all access to RAMP, and announce the intention to rebuild the forum from scratch using a more robust engine this time. The relaunch is set to take place on August 13, 2021, and to be accepted as a new user, one will have to cover the cost of $500 for a registration fee. This will ensure that only those who are serious about doing RaaS business will join RAMP, but it is well above the entry fee requested elsewhere.

RAMP relaunch countdown frontpage, Source: KELA

If 'RAMP' makes it, it'll mean that public ransomware as a service (RaaS) operations still have a future and that there are groups out there addressing the wider cybercrime community to make a profit. With all that has happened lately, nobody can be certain, but it's good to have a gauging tool that will give us the answer.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: