RAMP is a prominent Russian-language cybercrime forum focused on ransomware activity. It was renamed from Payload[.]bin to RAMP on July 13, 2021; according to its founder Orange, the name stood for "Ransom Anon Market Place." Reporting cited in the content identifies Orange as the founder of RAMP and links Orange to the aliases Wazawaka, Boriselcin, TetyaSluha, Uhodiransomwar, and Biba99, which KrebsOnSecurity and Intel 471 further associate with Russian national Mikhail Pavlovich Matveev. The content states that RAMP emerged after major dark web forums banned ransomware groups following the Colonial Pipeline attack. RAMP functioned as a hub for ransomware operations and related cybercrime services. The content states that it was used by ransomware affiliates, malware developers, and initial access brokers, and that it offered leaked-data auctions, malware rentals, and initial access broker listings. Orange later announced a new ransomware affiliate program called Groove on RAMP. The forum was described as ransomware-focused and part of the broader ransomware-as-a-service and extortion ecosystem. The content also states that U.S. federal authorities seized both the clearnet and dark web domains associated with RAMP (including Ramp4u.io). The seizure was reportedly carried out by the FBI in coordination with the U.S. Attorney’s Office for the Southern District of Florida and the DOJ Computer Crime and Intellectual Property Section. Seized domains displayed FBI/DOJ seizure notices and were updated to fbi.seized.gov nameservers. No arrests were officially confirmed in the cited reporting.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Attributed origin per open-source reporting.
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Russian-language cybercrime forum that functioned as a hub supporting ransomware operations (e.g., ransomware affiliates, malware developers, and initial access brokers) via services such as leaked data auctions, malware rentals, and initial access broker listings.
Named cybercrime forum whose domains were reportedly seized by U.S. law enforcement.
Ransomware-focused dark web forum founded by Orange as a platform for ransomware leaks and collaboration, created after other forums banned ransomware collectives.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.