RAMP (Russian Anonymous Marketplace) was a Russian-language cybercrime forum that operated from late 2021 until it was seized by the FBI on January 28, 2026, in coordination with the U.S. Attorney’s Office for the Southern District of Florida. It ran as both a Tor hidden service and maintained a clearnet mirror at ramp4u.io, making it more accessible than many competing forums.
The forum ran on XenForo 2.2.5, a commercial platform, and had dedicated sections for selling network access, malware, ransomware partnerships, stolen data, and hiring criminal freelancers. Thread titles appeared in Russian, English, and Chinese, highlighting its global audience from Western cybercriminals to East Asian threat actors.
Comparitech gained exclusive access to a leaked database from RAMP. The full MySQL dump contains user records, forum threads, private messages, IP logs, and admin activity spanning November 2021 through January 2024.
RAMP at a glance
- 7,707 registered users
- 1,732 forum threads
- 340,333 IP log records
- 1,899 private conversations
- 3,875 private messages
- 14 RaaS programs advertised
- 250+ ransomware leak sites referenced
Key findings:
- The RAMP forum facilitated sale of corporate network access to organizations including defense contractors, energy companies, banks, hospitals, and government agencies across 20+ countries
- The US is the #1 target: it appeared in 40% of listings where a country was identified
- A single access broker posted 41 separate listings selling entry points into corporate networks, including a US company with $1.2 billion in revenue and government networks in South America and Ukraine
- 14 ransomware-as-a-service (RaaS) programs actively recruited affiliates, offering up to 90% of ransom payments
- Government agencies were the most-targeted sector (21 listings), followed by finance/banking and technology/telecom (11 each)
- Forum activity surged 348% from a low of 67 threads in Q4 2022 to 300 threads in Q4 2023, suggesting a major resurgence after law enforcement disruptions
The access market: selling the keys to corporate networks
The single largest section of RAMP was its access marketplace, where 333 threads offered entry points into compromised corporate networks. These listings represent the first stage of the ransomware kill chain — before any malware is deployed, someone has to get inside.
Access types sold
The most common access type was RDP (Remote Desktop Protocol), appearing in 59 listings, followed by VPN access (22) and SSH/shell access (22). Domain Administrator access (giving full network control) was advertised in 12 listings and commands a premium.
| Access Type | Listings | Share | Risk Level |
|---|---|---|---|
| RDP (Remote Desktop Protocol) | 59 | 43% | Critical |
| VPN (corporate gateways) | 22 | 16% | Critical |
| SSH / Webshell | 22 | 16% | High |
| Domain Admin (full network control) | 12 | 9% | Critical |
| Citrix | 7 | 5% | High |
| VNC | 3 | 2% | High |
| Unspecified | 208 | — | — |
Target countries
The United States dominates the victim list, appearing in 40% of listings where a country was identified:
| Country | Listings | % of identified targets |
|---|---|---|
| United States | 39 | 40% |
| EU (various) | 6 | 6% |
| Asia (various) | 6 | 6% |
| Canada | 5 | 5% |
| Brazil | 3 | 3% |
| India | 3 | 3% |
| China | 3 | 3% |
| South Korea | 2 | 2% |
| Israel | 2 | 2% |
| Other (20+ countries) | 26 | 27% |
Target industries
Government organizations were the most frequently targeted sector:
| Industry | Listings | Named Victims Include |
|---|---|---|
| Government (incl. embassies, military) | 21 | Mexican embassy, Ukraine GOV, IDF |
| Finance & Banking | 11 | Consolidated Bank of Ghana, AddisBank |
| Technology & Telecommunications | 11 | China Telecom, Emirates Telecom, Taiwan Telecom |
| Energy (oil, gas, power) | 5 | US petroleum co. ($1B), US energy ($800M) |
| Healthcare & Hospitals | 4 | South Korean hospital, Thai hospital |
| Education & Universities | 4 | US universities, unspecified |
| Manufacturing | 3 | Toyota's Brazilian operations |
| Defense & Aerospace | 2 | Indian defense aerospace |
| Retail | 2 | PEPSI official distributor in Asia |
Named organizations in thread titles included a PEPSI official distributor in Asia ($250M+ revenue), an Indian defense aerospace company, Toyota’s Brazilian operations ($1B+ revenue), the Consolidated Bank of Ghana, AddisBank (Ethiopia), Emirates Telecom ($1.3B revenue), a Mexican embassy, hospitals in South Korea and Thailand, China Telecom, and Israeli telecommunications infrastructure.
The shift toward VPN exploitation
In early 2022, the market was dominated by RDP access. By late 2023, VPN access listings had grown significantly, reflecting a shift in attack methodology:
| Quarter | RDP | VPN | SSH | DA | Shell | Total |
|---|---|---|---|---|---|---|
| Q4 2021 | 3 | 2 | 0 | 0 | 1 | 21 |
| Q1 2022 | 9 | 0 | 1 | 3 | 0 | 34 |
| Q2 2022 | 13 | 0 | 0 | 4 | 1 | 35 |
| Q3 2022 | 7 | 1 | 0 | 0 | 0 | 28 |
| Q4 2022 | 0 | 1 | 0 | 1 | 1 | 13 |
| Q1 2023 | 2 | 1 | 0 | 4 | 2 | 25 |
| Q2 2023 | 7 | 1 | 5 | 2 | 4 | 49 |
| Q3 2023 | 4 | 1 | 4 | 1 | 2 | 42 |
| Q4 2023 | 7 | 7 | 0 | 4 | 5 | 57 |
| Q1 2024* | 1 | 0 | 0 | 1 | 0 | 28 |
*Data ends late January.
VPN access listings jumped from near-zero throughout 2022 to 7 in Q4 2023, matching RDP. This correlates with the surge of critical Cisco, Fortinet, and Citrix VPN vulnerabilities disclosed in 2023, which criminals rapidly weaponized.
SSH access, virtually absent in 2022, appeared in nine listings during Q2-Q3 2023 — mostly from sellers “xss_0x2” (12 SSH listings total) and “dayone31337_blardo” (4 SSH listings for Chinese and Korean targets).
Which VPN vendors are criminals targeting?
When sellers specified the VPN product they had compromised, Cisco appeared most frequently:
| VPN Vendor | Mentions | Context |
|---|---|---|
| Cisco (AnyConnect, ASA) | 8 | Most frequently exploited; bulk credential sales |
| Citrix | 7 | Gateway access to large enterprises |
| Fortinet (FortiGate) | 3 | Exploited via known CVEs |
| Pulse Secure | 3 | CVE-2019-11510 referenced directly |
| Palo Alto (GlobalProtect) | 2 | Enterprise networks |
| SonicWall | 1 | — |
| F5 BIG-IP | 1 | — |
One seller (“blackod”) posted five consecutive Cisco VPN access listings for US, Australian, Canadian, and UK organizations in November 2023 alone, suggesting automated scanning and exploitation of a common Cisco vulnerability at scale. Another thread explicitly referenced CVE-2019-11510 (Pulse Secure) by name, demonstrating that known but unpatched vulnerabilities remain a primary entry point.
A separate demand-side thread from “yakuza” titled “Buy corporate access [SonicWall, Cisco, Fortinet, F5 BIG IP, Pulse, Citrix, RDWeb]” further confirms that these seven vendors represent the primary targets.
The biggest listings by victim revenue
Access to a South Korean conglomerate with a reported annual revenue of $16 billion was the most valuable listing on the forum:
| Date | Victim Description | Revenue (USD) | Seller |
|---|---|---|---|
| Sep 2022 | South Korean corporation | $16 billion | inthematrix |
| Dec 2023 | South Korean corporation | $15 billion | Big-Bro |
| Sep 2022 | US corporation | $6 billion | inthematrix |
| May 2023 | US corporation | $2.6 billion | uroboros |
| Dec 2023 | Canadian corporation (RDP) | $5 billion | fokonishi |
| Apr 2023 | Emirates Telecom (UAE) | $1.3 billion | vars_secc |
| Mar 2022 | US corporation (RDP) | $1.2 billion | inthematrix |
| Aug 2022 | US petroleum company | $1 billion | Skyler |
| Mar 2023 | Toyota Brazil | $1 billion+ | el84 |
| Dec 2023 | US energy company | $800 million | fokonishi |
The bigger the target, the higher the price
Of the 333 access listings, 48 explicitly stated the victim organization’s annual revenue. Buyers use this info to approximate how much money they could steal or extort from victim organizations, which in turn determines the price of access.
| Revenue Tier | Listings | % of Revenue-Listed | Typical Access Type |
|---|---|---|---|
| Under $50M | 18 | 38% | RDP, Domain Admin, Webshell |
| $50M–$200M | 11 | 23% | RDP, Domain Admin |
| $200M–$500M | 7 | 15% | RDP, Domain Admin, Webshell |
| $500M–$1B | 3 | 6% | RDP |
| $1B–$5B | 6 | 13% | RDP, Domain Admin |
| $5B+ | 3 | 6% | Unspecified (premium) |
The ransomware economy: affiliate splits reaching 90%
RAMP hosted 60 threads in its dedicated RaaS section, where ransomware operators recruit affiliates. The data reveals a clear trend toward more generous splits over time — from 80/20 in early 2022 to 90/10 by mid-2023:
| Date | RaaS Program | Split (affiliate/operator) | Language |
|---|---|---|---|
| Feb 2022 | RTM Locker 3.0 | 80/20 | — |
| Jun 2022 | Luna | 85/15 | Rust |
| Dec 2022 | Nevada | 85/15 | — |
| May 2023 | Knight 3.0 | 90/10 | — |
A 90/10 split means the person deploying the ransomware keeps $900,000 out of every $1 million in ransom collected. This escalation reflects fierce competition for skilled and willing affiliates across the cybercrime ecosystem.
14 RaaS programs advertised on RAMP (2021–2024)
We identified 14 distinct RaaS programs:
- AvosLocker (Nov 2021)
- Conti (Nov 2021)
- Luna (Jun 2022)
- BEAST (Jun 2022)
- Nevada (Dec 2022)
- CryptNet (Apr 2023)
- Knight 3.0 (May 2023)
- NoEscape (May 2023)
- Bl00dy (Jul 2023)
- KUIPER (Sep 2023)
- UBUD (Nov 2023)
- PHOBOS — cracked builder (Dec 2023)
- Zeppelin2 — source code leak (Dec 2023)
- Wing 1.0 (Jan 2024)
The appearance of cracked builders and leaked source code (PHOBOS, Zeppelin2) is particularly concerning. It lowers the barrier to entry, allowing anyone to launch independent ransomware attacks outside the RaaS model entirely. No affiliate agreement, no profit-sharing, and no operator oversight are required.
Democratization through cracked builders
Seven separate listings offered cracked or leaked versions of established ransomware and penetration testing tools:
| Date | Tool | Type | Significance |
|---|---|---|---|
| Jul 2022 | OSKI Stealer | Cracked | Information stealer used for credential theft |
| Aug 2022 | Mars Stealer V8 | Cracked (panel+builder) | Popular stealer with full infrastructure |
| Sep 2022 | LockBit 3.0 Builder | Leaked | Most prolific ransomware operation; builder enables anyone to deploy |
| Aug 2023 | Cobalt Strike 4.8 | Cracked | $5,900/year legitimate tool used by most APTs |
| Nov 2023 | Core Impact 21.3 | Cracked | Commercial pentest tool ($20K+/year) |
| Dec 2023 | PHOBOS Ransomware | Cracked builder | Affiliate program bypassed entirely |
| Dec 2023 | Zeppelin2 | Source code + cracked builder | Full source code enables modification |
| Jan 2024 | Stop/DJVU | Cracked builder | Targets individual consumers/small businesses |
The LockBit 3.0 builder leak was the most consequential. LockBit was the world’s most prolific ransomware operation when RAMP was at its peak, and its leaked builder has been used by dozens of independent operators who have no affiliation with the original group. This single leak multiplied the number of LockBit-branded attacks far beyond what the original operators could manage.
Cracked versions of commercial penetration testing tools like Cobalt Strike ($5,900/year) and Core Impact ($20,000+/year) further lower barriers. These tools, designed for legitimate security testing, provide professional-grade attack capabilities at zero cost to criminals.
The combined effect is a “democratization” of ransomware — the tools, techniques, and playbooks that once required affiliation with a major RaaS operation are now freely available to any moderately skilled criminal.
The malware supermarket
The malware marketplace hosted 121 listings across a range of criminal tools:
| Category | Listings | Notable Examples |
|---|---|---|
| Exploits & 0-days | 22 | Sonicwall VPN RCE, Office 0-day, WinRAR RCE |
| Crypters / FUD tools | 17 | Private Crypt ($2K/month), Luxury Shield |
| Ransomware | 12 | Kakia v2, Thanos, ESXi ransomware |
| RATs & Backdoors | 11 | Windows backdoors, Android banking trojans |
| Stealers / Infostealers | 10 | LummaC2, Mars Stealer, Meduza, OSKI |
| Botnets | 7 | Crypto botnet ($25K), GoldBrute RDP scanner |
| Loaders / Droppers | 6 | AresLoader, BazarLoader |
Standout listing: a crypto-stealing botnet advertised at $25,000 that claimed to bypass two-factor authentication on major cryptocurrency exchanges. The forum also listed a VPN RCE 0-day exploit with an asking price of $100,000, indicating that nation-state-grade vulnerabilities circulate in these spaces.
The criminal job market: $25K/month for malware developers
RAMP’s freelance section (68 threads) functions as a criminal career marketplace.
Only one thread explicitly advertised a salary, but it was a striking one. A user posting under “OttoFonBismark” in November 2022 offered $20,000–$25,000 per month for an Android “virologist” (malware developer), promising “fast and big money.”
The compensation spectrum
| Role | Compensation Model | Evidence from RAMP |
|---|---|---|
| Android malware developer | $20–25K/month | Explicit salary offer, "fast and big money" |
| Ransomware affiliate | 70–90% of ransom | Ransom payments average $200K-$1M+ |
| Access broker | Per-sale | Prices vary $500-$50K+ by target size |
| Pentester (hired by RaaS team) | % of ransom | Multiple teams hiring, split negotiated |
| Ransom negotiator | Per-deal | Thread seeking "callers for negotiations" |
| Insider (telecom employee) | Per-SIM-swap | AT&T/T-Mobile/Verizon insiders sought |
| Crypto exchange insider | Unknown | I have insider admin in one European crypto exchanger |
The top 10 vendors on RAMP
The most active sellers represent the forum’s commercial backbone:
| # | Seller | Listings | Specialty |
|---|---|---|---|
| 1 | inthematrix | 41 | Corporate RDP access (US, EU, Asia, GOV) |
| 2 | boxi | 23 | VNC/SSH access, data dumps |
| 3 | el84 | 18 | Corporate access (Brazil, Israel, telecom) |
| 4 | RobinHood | 12 | Access broker + RaaS operator (KUIPER) |
| 5 | xss_0x2 | 12 | SSH access (Linux corps, worldwide) |
| 6 | jacksparrow | 11 | US/EU RDP access |
| 7 | w1nte4mute | 11 | Corporate access |
| 8 | eliotto | 8 | VPN exploits, malware |
| 9 | Big-Bro | 8 | High-value corporate access |
| 10 | vars_secc | 7 | Telecom, banking (UAE, Taiwan, Thailand) |
“RobinHood” stands out as a dual-role threat actor: selling corporate access to targets including an Indian defense aerospace firm and a PEPSI distributor, while simultaneously operating the KUIPER RaaS program targeting Windows, Linux, ESXi, NAS, MacOS, and FreeBSD.
The demand side: who’s buying?
Twenty-four threads were posted by buyers actively seeking corporate access, revealing what’s in demand:
| Date | Buyer | What They Want |
|---|---|---|
| Dec 2021 | AvosLocker | Buy or work access (VPN->RDP, Citrix, webshell..) |
| Jan 2022 | Whop-Whop | BUYING CORP ACCESSES US/CA/UK/AU/DE/FR |
| Apr 2023 | FASTPRISONER | I will buy USA and CANADA corporate accesses + pay % from profit |
| Sep 2023 | unknow50 | I buy access from Iran |
| Sep 2023 | Sirene | Looking for access of Indian govt |
| Oct 2023 | yakuza | Buying Cisco, Fortinet, Pulse, Citrix, F5, SonicWall, RDWeb access |
| Oct 2023 | krab | Need access to road cameras of a certain country |
| Nov 2023 | Pwnstar | Pentesters for $1B+ revenue networks; later: Canadian Credit Union logs |
| Feb 2023 | ippsec | Buy Access SSH/SHELL/SCADA from Iran |
The AvosLocker listing is particularly significant: a known ransomware operation directly posting buying requests on the same forum where it advertised its RaaS program. This confirms the supply chain relationship between access brokers and ransomware operators.
The request for SCADA access from Iran and road camera access in a specific country suggest state-aligned or espionage-motivated activity alongside the primarily financially-motivated listings.
Several buyers offered profit-sharing arrangements (“pay % from profit”), indicating that some buyers lack the upfront capital to purchase access outright and instead offer a cut of eventual ransom payments.
Forum growth: a U-shaped recovery
RAMP’s activity follows a distinctive pattern. After a strong 2021 launch, activity declined through 2022, hitting a low of just 67 threads in Q4. Then it rebounded sharply through 2023:
| Quarter | Threads | Change | Context |
|---|---|---|---|
| Q4 2021 | 345 | (launch) | Forum established |
| Q1 2022 | 216 | -37% | |
| Q2 2022 | 144 | -33% | |
| Q3 2022 | 93 | -35% | |
| Q4 2022 | 67 | -28% | Trough - law enforcement pressure |
| Q1 2023 | 91 | +36% | Recovery begins |
| Q2 2023 | 169 | +86% | |
| Q3 2023 | 198 | +17% | |
| Q4 2023 | 300 | +52% | Peak — 348% above trough |
| Q1 2024* | 109 | partial | *Data ends late January |
*Data ends late January.
The Q4 2022 trough likely reflects law enforcement operations that year, including the Hive ransomware takedown and related arrests. The 2023 resurgence, peaking at 300 threads in Q4, suggests the forum successfully attracted displaced users from other disrupted platforms.
Operational security: where criminals slip up
Most RAMP users relied on privacy-focused email providers. Proton Mail accounted for 38% of registrations.
A significant minority made poor choices. Across the full 7,707 user database, 94 accounts were registered with Gmail addresses tied to Google accounts. Several contain patterns consistent with real names.
The forum’s server logged 340,333 IP records across 4,788 users. While most IPs are Tor exit nodes (expected for a .onion site), the data provides session correlation and timing analysis opportunities. We identified connections from residential ISPs in multiple countries, suggesting some users accessed the forum without Tor protection.
Private messages: the deals behind the curtain
The database includes 1,899 private conversations containing 3,875 messages — the hidden negotiations that turn forum listings into actual attacks. Conversation subjects include “VPN access,” “Stealer,” “Request [RaaS] Private Partner Program,” and direct deal-making. This private message data captures the actual transaction layer that public forum posts only advertise.
For example, when the forum’s most prolific access broker “inthematrix” listed access to a South Korean conglomerate with $16 billion in annual revenue, buyer inquiries arrived within hours. One user (“frenkie378”) initiated a private conversation titled “South Korea / 16kkk/ local admin” that ran to three replies, showing a complete negotiation cycle from listing to deal. In total, inthematrix’s 41 public access listings generated 41 private conversations with buyers including ransomware operators, access resellers, and pentest teams.
Methodology
This analysis is based on a MySQL database dump of the RAMP forum’s XenForo installation. We parsed raw SQL to extract structured data from the xf_user (7,707 records), xf_thread (1,732 records), xf_post, xf_ip (340,333 records), xf_admin_log, xf_conversation_master (1,899 records), and xf_conversation_message (3,875 records) tables. IP addresses were decoded from binary format and geolocated against known ISP allocations. All findings are based on data as it existed in the database dump and have not been independently verified against live sources.
