RAMP Leak Exposes Russia's Ransomware Pipeline: 7.7K Users, 340K IPs, US Gov Targets
Leaked database reveals a structured cybercrime market connecting access brokers to 14 RaaS affiliates targeting US government and finance sectors in 40% of listings.
MOSCOW / WASHINGTON, D.C. — A massive leak of the RAMP (Ransomware Access and Market Place) database has pulled back the curtain on Russia’s most structured cybercrime ecosystem. Analyzing data spanning November 2021 to January 2024 — prior to the FBI’s seizure of the main site in February 2026 — researchers have uncovered the inner workings of a pipeline that commercialized the targeting of Western infrastructure.
The leak includes 1,732 forum threads, 7,707 registered users, and 340,000 IP records. According to analysis by Security Affairs and Comparitech, RAMP filled the void left when other Russian underground forums banned ransomware advertisements in 2021. Founded by the threat actor "Orange," a former operator of the Babuk ransomware gang, RAMP evolved into a professionalized clearinghouse for the ransomware kill chain and access brokers.
Intelligence Analysis: US Infrastructure in the Crosshairs
The leaked data highlights a relentless focus on high-value US targets. Of the geolocated listings on the forum, 40% targeted US-based organizations. This included 21 specific listings for government networks, and 11 each for the finance, tech, and telecommunications sectors.
The "Access Broker" model is the engine of this growth. These specialists do the heavy lifting of initial compromise — often via stolen credentials or unpatched VPN vulnerabilities — then sell that access to Ransomware-as-a-Service (RaaS) affiliates. One single broker was identified in the leak as having 41 separate listings for government networks across South America and Ukraine.
This commercialized pipeline mirrors the primary threat drivers identified by the NCSC, which previously named Russia as a leading force in infrastructure disruption. To explore more about the groups involved in these campaigns, visit our threat actor operations archive.
Defensive Mandate: Countering the Pipeline
The RAMP leak proves that the threat is no longer a "lone wolf" hacker, but a vertically integrated industry. To counter this structured ecosystem, security teams should prioritize the following:
- Credential Monitoring: Since access brokers rely on stolen logins, monitor for leaked employee credentials in real-time.
- MFA Implementation: Universal Multi-Factor Authentication (MFA) remains the most effective deterrent against the "entry points" sold on RAMP.
- Exposed Service Reduction: Audit and harden all public-facing services (RDP, VPN, Citrix) that serve as the primary inventory for brokers.
- Opportunistic Locking: Implement network segmentation to prevent the "pass-the-hash" lateral movement that allows an affiliate to turn a single broker's access into a full SYSTEM shell.
The CyberSignal Analysis
Signal 01 — The "Law of Demand" in Cybercrime
The RAMP data shows that despite massive law enforcement disruptions in 2022, forum activity surged 348% between Q4 2022 and Q4 2023. This indicates that as long as the "Access Broker to RaaS" pipeline remains profitable, threat actors will simply migrate to new platforms. The 2026 FBI seizure of RAMP was a blow, but the database leak reveals just how deeply these roots had grown before the site went dark.
Signal 02 — The Pivot to SYSTEM Privilege
The leak confirms that RaaS groups are no longer satisfied with simple data encryption. They are hiring affiliates specifically capable of "escalation to SYSTEM," often leveraging race conditions or unpatched vulnerabilities in defensive software. By the time a ransomware note appears, the adversary has often spent weeks inside the network, courtesy of a RAMP access broker.
