RAMP, a Russian darknet forum, reappears, this time with Chinese-speaking hackers at the helm

RAMP, a Russian darknet forum, reappears, this time with Chinese-speaking hackers at the helm

XSS user ‘hoffman’ greets two forum members who revealed themselves as Chinese. The threat actor asks them if they could provide information about ransomware and purchasing various kinds of system vulnerabilities. The language seems to be machine-translated Chinese,” Flashpoint wrote.

After its administrator opened it up to Mandarin and English-speaking threat actors, the Russian cybercriminal site RAMP is back up and teeming with what could possibly be Chinese activity. According to Flashpoint analysts, the forum is collaborating with the hackers in what can only be described as a ransomware scheme. Flashpoint found 30 new Chinese origin user registrations. Below is a screenshot of ‘hoffman’, a member of XSS (another Russian cybercriminal forum).


  • A while ago, RAMP’s administrator was linked to the Babuk ransomware gang. This administrator, who goes by the name Orange, also claimed to lead the Groove ransomware gang. According to Israeli cybersecurity company KELA who discovered RAMP, the forum had 350 registered users in just the first ten days of its existence while the number of published posts was above 100. RAMP was founded to connect with affiliates operating in a ransomware-as-a-service (RaaS) model. The intention was “to protect against fraudulent RaaS and ransomware partner job advertisements on deep web and dark web forums.”

  • RAMP emerged as recently as July this year . It garnered much attention from cybercriminal groups on the darknet, mainly ransomware gangs, as well as those from the white hat community. RAMP, named as a tribute to the now defunct Russian drug marketplace, actually stands for Ransom Anon Market Place and is hosted on the same domain that previously hosted the data leak sites for Babuk ransomware, and for Payload.bin.

Earlier this month, Orange re-emerged on XSS and posted the following:

RAMP became operational shortly after XSS and Exploit, two other Russian darknet forums, were banned following the Colonial Pipeline attack. XSS and Exploit were popular meeting places for criminals associated with the DarkSide and REvil ransomware gangs and other members of the ransomware community. However, Orange suddenly called it quits in October 2021 to focus on making money with Groove rather than running RAMP. So they deleted RAMP. Orange then called on to “stop competing, unite and begin to destroy the US public sector.” To look legitimate (rather, illegitimate), Groove even posted 500,000 login credentials of Fortinet VPN customers.

They ate it up, I dumped 500k old Fortinet [access credentials] that no one needed and they ate it up. I say that I am going to target the U.S. government sector and they eat it up. Few journalists realized that this was all a show, a fake, and a scam! And my respect goes out to those who figured it out. I don’t even know what to do now with this blog with a ton of traffic. Maybe sell it? Now I just need to start writing [the article], but I can’t start writing it without Checking

It was later revealed that Groove and its call to attack the U.S. with ransomware was actually a social engineering ruse to see if it was possible to manipulate the Western media and elicit a response through a fake ransomware blog. Which brings us back to the Russian-Chinese collaboration and the re-emergence of RAMP, now requiring members to re-register owing to a new .onion domain (its third iteration) on the Tor network. Orange’s previous activity suggests this may be yet another ploy to trick the media and organizations. “While it is possible that Russian-speaking ransomware operators may be seeking alliances outside of Russia — cooperative cybersecurity talks with the U.S. are currently underway — it remains unclear whether RAMP efforts to woo Chinese-speaking threat actors are in fact legitimate or simply a smokescreen,” Flashpoint noted.