As one ransomware community, RAMP, closes its doors, two new forums have emerged to fill the void. Rapid7 has released a comprehensive analysis of the changing ransomware landscape following the recent seizure of infrastructure associated with RAMP by U.S. authorities.
For many years, RAMP served as the primary platform for ransomware-as-a-service (RaaS) affiliates. However, an interagency operation led by the FBI on January 28 forced numerous cybercriminal groups to seek alternative avenues for their operations.
In their latest blog post, Rapid7's Alexandra Blia and Efi Sherman identified two forums that attackers may flock to in the aftermath of RAMP’s closure. The key takeaway is that the ransomware ecosystem is becoming increasingly fragmented, necessitating new strategies for defenders.
"For defenders, visibility into centralized coordination is shrinking," the blog states. "Monitoring must evolve beyond tracking individual forums to identifying actor migration, recruitment signals, and early indicators of regrouping. Disruption rarely eliminates ecosystems; it reshapes them. Organizations that adapt their intelligence strategies accordingly will be best positioned to stay ahead."
Raj Samani, chief scientist at Rapid7, describes the current ransomware ecosystem as a "burgeoning" yet fluid environment, where various groups are active at different times. He notes that some groups vanish only to reappear later with new tools that catch victims off guard, citing Cl0p as an example.
A Tale of Two Ransomware Forums
With RAMP now defunct and unlikely to resurface, ransomware actors are actively discussing their next moves. While there are other hacker forums available, many, like XSS, do not permit ransomware recruitment.
One early successor is T1erOne, a closed forum that began operating earlier this month. Membership is granted only through proof of activity on another forum or a $450 payment. The forum's structure aims to mitigate the risk of infiltration following the leak of parts of RAMP's database.
"While closed, paid-entry forums are not new, their emergence immediately after a high-profile seizure suggests defensive adaptation," Blia and Sherman wrote. "By raising financial and reputational barriers, administrators reduce infiltration risk while signaling seriousness to high-value actors. If historical patterns hold, the next phase will likely involve smaller clusters of trusted actors consolidating around vetted spaces, with recruitment occurring through referrals rather than open posts. This reduces visibility but increases operational cohesion."
The T1erOne forum directly advertises ransomware, seeking to capitalize on the gap left by RAMP. Some ransomware affiliate groups, including Qilin and Cry0, have reportedly begun to make their presence known on this forum.
The other notable early forum is Rehub, which existed prior to RAMP's closure. Active since August of the previous year, it boasts a more open membership structure compared to T1erOne. Rapid7 has confirmed the presence of several ransomware actors on Rehub, including LockBit and Gentlemen, who have been active since September. Notably, DragonForce joined the day RAMP went offline, and multiple posts on Rehub advertise RaaS offerings.
A Fragmented Ransomware Future After RAMP
Rapid7 concludes that the future landscape following RAMP's demise is not centered around a single successor but rather a diverse path catering to different sectors of the cybercrime ecosystem. Rehub serves as a convenient option for displaced ransomware actors, while T1erOne aims to attract higher-value targets by fostering trust.
This fragmentation complicates visibility for defenders, who now must monitor patterns across multiple platforms and identify early recruitment signals for RaaS.
Samani emphasizes that despite RAMP's seizure undermining trust within the cybercrime community, the financial incentives will continue to drive activity. "We have seen this play out so many times before," he remarks. "Look at BreachForums and XSS, where we witnessed a new version appear within a month after the original shutdown. This underscores a significant economy where threat actors perceive minimal risk due to the anonymity afforded by these online forums."
