The seizure of the RAMP cybercrime forum by U.S. authorities has fragmented the ransomware ecosystem, forcing actors to migrate to new platforms. Two emerging forums, the closed and paid T1erOne and the more open Rehub, are filling the void, attracting different segments of ransomware groups. This fragmentation reduces defenders' visibility, requiring them to adapt by monitoring actor migration and recruitment signals across multiple platforms instead of a single centralized forum. The main topics covered are the law enforcement action against RAMP, the resulting shift in ransomware operations to new forums, and the implications for cybersecurity defense strategies.
RAMP Forum Seizure Fractures Ransomware Ecosystem
Researchers suggest defenders monitor how these malicious groups re-form and leverage the useful threat intel to guide their next moves.
As one ransomware community shutters in RAMP, two more pop up to take its place.
Rapid7 today published an analysis of that ransomware ecosystem after US authorities seized infrastructure tied to the notorious RAMP cybercrime forum last month. For years, RAMP has been the primary vehicle for acquiring ransomware-as-a-service (RaaS) affiliates, but the Jan. 28 interagency sting led by the FBI forced many cybercrime outfits to find a new means to sell their wares.
Rapid7's Alexandra Blia and Efi Sherman in this week's blog post identified two potential forums where attackers might go next. The bigger takeaway, however, is that the cybercrime ecosystem is fragmenting, and defenders will need to adapt.
"For defenders, visibility into centralized coordination is shrinking. Monitoring must evolve beyond tracking individual forums to identifying actor migration, recruitment signals, and early indicators of regrouping," the blog post read. "Disruption rarely eliminates ecosystems; it reshapes them. Organizations that adapt their intelligence strategies accordingly will be best positioned to stay ahead."
Raj Samani, chief scientist at Rapid7, tells Dark Reading that the current ransomware ecosystem is a "burgeoning" yet fluid one, with different groups active at different times. "We see instances where groups disappear and then return with an array of tools that victims are entirely unprepared for, such as Cl0p," he says.
A Tale of Two Ransomware Forums
With RAMP gone and unlikely to return (its administrator said as much), ransomware actors began discussing where to go next. While other popular hacker forums exist, a number of them, like XSS, do not allow for ransomware recruitment.
One early successor has proven to be T1erOne, a closed forum started early this month that allows members to join only with proof of activity on another forum or a $450 payment. Because parts of RAMP's database leaked in the wake of the shutdown, "This structure is designed to reduce the risk of infiltration or exposure," Blia and Sherman wrote.
"While closed, paid-entry forums are not new, their emergence immediately after a high-profile seizure suggests defensive adaptation. By raising financial and reputational barriers, administrators reduce infiltration risk while signaling seriousness to high-value actors," they added. "If historical patterns hold, the next phase will likely involve smaller clusters of trusted actors consolidating around vetted spaces, with recruitment occurring through referrals rather than open posts. This reduces visibility but increases operational cohesion."
The forum directly advertises ransomware in an apparent attempt to fill the gap left by RAMP. Some ransomware affiliate groups have reportedly begun advertising on the forum such as Qilin and Cry0.
The other prominent early forum is Rehub, which existed prior to RAMP's closure. It has been active since August of last year and has an open membership structure by comparison to T1erOne. Rapid7 researchers verified that several ransomware actors are already active on the platform; LockBit and Gentlemen have had a presence since September, while DragonForce joined the day RAMP went offline. Multiple posts advertise RaaS offerings.
A Fragmented Ransomware Future After RAMP
Rapid7 concluded that the future after RAMP is not one successor but a divergent path to serve different parts of the cybercrime ecosystem. Rehab exists as an easy rebound for displaced ransomware actors, while T1erOne appears to target higher value targets in a play for trust.
This complicates visibility for the defender, which must now track patterns across multiple platforms and determine early RaaS recruitment signals.
This recent forum activity also shows, Samani tells Dark Reading, that even as RAMP's seizure harms trust within the cybercrime community, financial incentives will overpower any need to lay low.
"We have seen this play out so many times before," he says. "Take BreachForums and XSS, for example, where we saw another version pop up within a month after the shutdown of the first. Simply put, this demonstrates a significant economy where threat actors do not feel the risk due to the perceived anonymity provided by the online nature of these forums."
Meridiano
