What the RAMP leadership change means for cybersecurity

One actor doubles down on ransomware while another promises something “tasty” on the horizon

 

Introduction

In July 2021, the Russian-speaking forum RAMP (Ransom Anon Market Place) was unveiled, taking its name as a tribute to the now-closed drug market “Russian Anonymous Market Place” (also referred to as RAMP).
Interestingly, RAMP emerged from the same domain used by the Payload.bin site and the Babuk ransomware group before that, indicating that its first administrator, TetyaSluha, has a close link with the ransomware group. TetyaSluha later confirmed this in a post on the forum, revealing that they were previously part of the Babuk Group, where they likely managed the ransomware group’s leak site.
Threat actor TetyaSluha, now known as Orange, announced that the forum aimed to create a new community for ransomware affiliates. This announcement came after ransomware-related activities were banned from other well-known forums.

 

New owners


In October 2021, Orange published a new post on RAMP, in which they announced that on behalf of the other mods of the site, MRT and 999, they had decided to leave the project and go private. According to Orange, they left to better focus their time on making money rather than running the forum . To achieve this, it is widely believed that Orange has joined, or is working with, Groove gang, an actor group believed to be an affiliate or subgroup of the Babuk gang. In a previous RAMP post, Orange explained:

GROOVE is first and foremost an aggressive financially motivated criminal organization dealing in industrial espionage for about two years. RANSOMWARE is no more than an additional source of income. We don’t care who we work with and how. You’ve got money? We’re in

The post also reports that something “tasty” is on its way. Perhaps in relation to this, KAJIT, who has now taken over administrator duties, has made several comments on the forum about working on a new engine. However, they have not shared any specific details beyond this.
We will keep you updated as this story evolves. In the meantime, get to know the actors involved:

 

Orange

Orange (previously using the moniker TetyaSluha) is the creator and former admin of RAMP.
The following post from Orange on RAMP supports the hypothesis that Orange was likely the former manager of the Babuk Team leak site:

All this activity that grew into the RAMP forum is the result of my year-long work in the field and the competent manipulation of journalists from top outlets, such as Bloomberg, and so on. I promoted this domain through blood and sweat.

Moreover, it is known that Orange has a collaborative relationship with Groove Gang.
In August 2021, Orange updated their RAMP forum profile with a new picture, name, and description, supplanting an employee’s identity from the cybersecurity company KELA.

 

KAJIT


KAJIT is an active user of Exploit.in and XSS.in. They registered on both sites in February 2021 and were one of the first RAMP users.
KAJIT will become the forum administrator after the “public” announcement in the forum by the now-former RAMP administrator, Orange, who does not doubt that “he” (referring to KAJIT) will be able to lead the forum moving forward.

 

Conclusions

While relatively new, the RAMP forum has already made major headlines, releasing a list of Fortinet VPN entry points at the end of August 2021. It may be hypothesized that the original owners of the forum did not feel comfortable with the level of attention they suddenly received following the fallout of the extortion of the DC Police, which may go some way in explaining the swift change in leadership. In any case, it is yet to be seen if this twist of events will increase the relevance of RAMP or if it signals the first nail in the forum’s coffin.

What is Threat Intelligence and why is it important?

Learn more
Demo Free Trial MSSP
Program