{
	"id": "1f13e671-6ba7-4438-9438-73cb07b5678f",
	"created_at": "2026-04-06T00:14:36.225822Z",
	"updated_at": "2026-04-10T03:20:51.331334Z",
	"deleted_at": null,
	"sha1_hash": "8c58d99cabf5ca749d99a81eb6db4826cc56c69f",
	"title": "New Russian-Speaking Forum – A New Place for RaaS?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1753647,
	"plain_text": "New Russian-Speaking Forum – A New Place for RaaS?\r\nBy KELA Cyber Team, Ben Kapon, Ben Kapon\r\nPublished: 2021-07-28 · Archived: 2026-04-05 22:04:14 UTC\r\nA new Russian-speaking forum called RAMP was launched in July 2021 and received much attention from\r\nresearchers and cybercrime actors. The forum emerged at the domain that previously hosted the Babuk\r\nransomware data leak site and later the Payload.bin leak site. KELA researched the contents of the new site and\r\nassessed its chances to succeed. *All the forum contents are described based on what KELA observed on RAMP\r\nuntil July 27, 2021, when the access became was restricted.\r\nBackground\r\nThe Babuk ransomware group came into the spotlight at the beginning of the year 2021 but the gang said that their\r\nattacks have started in October 2020. The group operated as ransomware-as-a-service (RaaS), and was publicly\r\nhiring affiliates on two major Russian-speaking forums, XSS and Exploit, since March 2021. One of the gang’s\r\nmost notable attacks was carried out against Washington DC’s Metropolitan Police Department that took place in\r\nApril 2021. The gang said they had compromised the DC Police’s networks and stolen 250 GB of unencrypted\r\nfiles. Some of them were published on their site.\r\nBabuk posts claiming to have compromised Washington DC’s Metropolitan Police Department\r\nShortly after the attack, the chaos surrounding the Babuk RaaS closure started. First, the gang stated it is closing\r\nthe operation and promised to publish the source code of its malware to enable other threat actors to create their\r\nown ransomware. Then, the Babuk ransomware developers deleted the post and published a new announcement\r\nclaiming they plan to continue breaching companies but instead of stealing sensitive files and encrypting local\r\nhttps://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/\r\nPage 1 of 9\n\ndata, the group plans only to steal it. However, that second announcement was also deleted. On May 15, 2021, the\r\nBabuk representative stated on one of the forums that their RaaS affiliate program was closed.\r\nBabuk announcements of coming changes of their leak site and RaaS\r\nOn June 1, 2021, KELA observed several changes in the content and appearance of the Babuk site. The domain\r\nused by Babuk showed a page titled “Payload.bin” with the following message on the front page: “Welcome to\r\nLeaks site created by Payload.bin.” It appeared that this Payload.bin site was the promised site for leaking the\r\nstolen data. However, only one victim was listed on the site – Polish game developer CD Projekt Red.\r\nInterestingly enough, the company fell victim to HelloKitty ransomware in February 2021. Then, the data\r\nallegedly stolen during the attack was traded on an auction on the cybercrime forum Exploit. The sellers claimed\r\nthe data was sold outside of the forum. Interestingly, one of the RAMP users asked about the origins of this leak\r\nbeing posted on Payload.bin. The admin claimed the Babuk gang did not attack the company and they just\r\nprovided a place for the leak: “The Babuk team never had anything to do with this project, we were just asked to\r\npost it, so I provided the material as it is.”\r\nhttps://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/\r\nPage 2 of 9\n\nThe leak of CD Projekt’s data on Payload.bin and an explanation of this leak on RAMP\r\nOn June 27, 2021, a builder (source code) for the Babuk ransomware was uploaded to VirusTotal. This builder\r\ncould be used to create custom versions of the Babuk ransomware and generate decrypters. Researchers\r\nspeculated the code could be leaked by former members of the groups or rivals. On July 1, 2021, it became known\r\nthat Babuk launched a new leak site stating the operation continues under the name Babuk 2.0. The gang claimed\r\nthe old version of Babuk ransomware was leaked, while the new version is being used in ongoing attacks. On July\r\n12, 2021, KELA noticed that the former Babuk ransomware gang’s leak site had changed again and was now\r\nhosting a forum named RAMP. A new admin initially named TetyaSluha (now Orange) announced it is now a\r\nplace where ransomware affiliates can be protected from unscrupulous RaaS programs. The admin claimed that\r\nfollowing the ransomware ban on other forums, he wanted to create a new community. The name of the new\r\nforum is a reference to the now-defunct Russian Anonymous Marketplace (a drug market that closed in 2017). So\r\nthe big question comes down to: What’s in this “marketplace”?\r\nThe Admin’s Connections to Babuk\r\nThe fact that the RAMP site is hosted on the same domain that once was Babuk’s leak site and then Payload.bin\r\nhints that the administrator is somehow related to Babuk. On May 13, 2021, in the post promising to leak the data\r\nof Washington DC’s Metropolitan Police Department, the author stated: “I handed over the source code to another\r\nteam, which will continue to develop the product under a different brand, I remain the only owner of the domain\r\nhttps://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/\r\nPage 3 of 9\n\nand blog, my service will continue to develop.” It seems that the post author is the future admin of Payload.bin\r\nand RAMP.\r\nAnnouncement about handing over source code and remaining an owner of the domain, most likely written by the\r\ncurrent RAMP admin\r\nWhen announcing the forum’s opening, the admin stated: “[If you want to know – KELA] who I am you can\r\nsearch online for the babuk key.” The mention of “Babuk key” probably meant the builder leak mentioned above.\r\nIn addition, the admin said: “All this activity that grew into the RAMP forum is the result of my year’-long work\r\nin the field and the competent manipulation of journalists from top outlets, such as Bloomberg, and so on. I\r\npromoted this domain through blood and sweat.” This again implies that the admin was involved in the Babuk\r\noperation from the beginning.\r\nhttps://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/\r\nPage 4 of 9\n\nThe RAMP admin’s announcement about the RAMP launch and his affiliation with the Babuk team and the\r\ndomain\r\nMoreover, when sharing the Babuk builder on RAMP, the admin claimed: “A guy who made Babuk for me just\r\ntook the Darkside ESX locker and reversed it. I can’t tell if there is a problem with the ESX [version] because I’ve\r\nused it only for three companies.” From this and other posts sharing insights on how to attack the company’s\r\nnetwork, we can suggest that the admin was conducting ransomware attacks by himself. The admin said that now\r\nhe is not affiliated with the gang and even stated: “I recommend to blacklist this product to all security firms and\r\ndata security [specialists].”\r\nThe RAMP admin’s post about the Babuk ESXi version being based on the DarkSide ESXi version\r\nRAMP Forum’s Contents\r\nThe new forum is Russian-speaking and named RAMP in honor of the now-defunct Russian drug marketplace, but\r\nits purpose is far away from selling drugs. The admin who renamed himself to Orange (the old RAMP’s admin’s\r\nhandle) claimed the forum will be a community for various cybercriminals, including ransomware developers and\r\nhttps://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/\r\nPage 5 of 9\n\naffiliates recently banned on XSS and Exploit. He stated the forum’s full name is “Ransom Anon Mark Place.”\r\nRules of the forum stated that members are prohibited from attacking Russia and CIS countries (which is common\r\nfor such forums), using multiple accounts, spamming, and performing some other actions. Curiously, the\r\nmoderators claimed it is prohibited to propagate “different actions going against Criminal Code of RF [Russian\r\nFederation].”\r\nRAMP rules\r\nThe forum has multiple sections typical for such cybercrime forums, with a general notice “welcoming” both\r\nRaaS and other services. Two sections that attract a particular interest are called “Vendor” and “Affiliate\r\nPrograms” – they are intended for “people and services in which we [administration – KELA] and our community\r\ntrust.” As such, KELA observed a thread dedicated to the LockBit 2.0 affiliate program thread. In the thread, a\r\nuser named LockBit (most likely the gang’s representative) claimed he will launch the LockBit 2.0 ransomware\r\nESXi version soon.\r\nhttps://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/\r\nPage 6 of 9\n\nSince Initial Access Brokers’ services are on the rise, the forum offers a section for access listings. Moreover, in\r\nhonor of the forum’s launch, some accesses through Fortinet VPN were offered for free. The access listings seem\r\nto be unique; the forum moderators promised to change them periodically to avoid multiple targeting. The forum\r\nalso has a section “Tools” for selling/sharing exploits and malware, though its contents so far do not seem to be\r\nunique. Interestingly, the Babuk builder was shared again in this section by the admin who specified that the\r\nbuilder works fine for encrypting/decrypting files on Windows computers. He mentioned that the VMware ESXi\r\nversion does not enable users to decrypt files. Other sections are intended for sharing articles about hacking,\r\nchatting, and discussing the forum.\r\nThe Spam Incident and the Building of the Forum\r\nThe site, built on the FluxBB engine, experienced a spam attack. On July 23, 2021, a threat actor created a thread\r\nwhere he demanded a 5,000 USD ransom to avoid spamming. Apparently, the admin didn’t pay the ransom and\r\nover a few coming days, multiple users were posting porn GIFs in all sections and threads in the forum. Following\r\nthe incident, many users were deleted from the forum. The admin (who previously looked for someone capable of\r\nauditing the forum’s security for 2,000 USD) stated the forum will be relaunched using a new engine built from\r\nscratch. First, the admin “cleaned” the forum and deleted most of the users. On July 27, 2021, he restricted access\r\nto the forum.\r\nhttps://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/\r\nPage 7 of 9\n\nForum’s Perspectives\r\nThe forum seemed to attract some interest from members of other cybercrime forums: KELA observed several\r\nusers registered with the same handles as on two major Russian-speaking forums. Due to the “cleaning” of the\r\nforum, on July 26, 2021, the number of users was 59 who seem to be the users that somehow participated in the\r\nforum discussion. During the first ten days of its existence and before the wave of spammers the number of\r\nregistered users was around 350. The number of published posts was above 100. This pace was impressive,\r\nhowever, after the spam incident and deleting of the users it will definitely slow down. The registration is now\r\nclosed. According to a message now appearing on the homepage, on August 13, 2021, the forum will be\r\nrelaunched and registration will become available based on certain conditions. Those include users registered on\r\nXSS and Exploit for more than 2 months, with more than 10 messages on a forum and a positive reputation. An\r\nalternative option is to pay a registration fee of 500 USD, which seems to be exaggerated compared to other\r\nforums. For example, a premium user on XSS costs 120 USD for a year. Moreover, Russian cybercriminals are\r\nnot used to paying money for registration on forums, especially such a (relatively) big sum. Once the forum will\r\nbe relaunched, it is possible that cybercrime actors tired of the ransomware ban will try it out. So far, the\r\nwelcoming of the RaaS programs and their affiliates is the only competitive advantage of RAMP. It seems it is the\r\nonly factor that can attract users from other well-established forums. As for the demand of ransomware groups for\r\nInitial Access Brokers, intrusion specialists, and other partners, they can still find them on existing forums.\r\nhttps://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/\r\nPage 8 of 9\n\nFrontpage of RAMP as seen on July 26 and on July 27, 2021\r\nThe success of the forum also depends on the interest of ransomware groups in publicly recruiting affiliates again.\r\nSome players (like Avaddon and REvil) closed their RaaS or disappeared from the public space. However, there\r\nare new groups that can use a new community to promote their RaaS. If the admins can leverage their competitive\r\nadvantage of welcoming RaaS programs, chances to grow are fairly high.\r\nSource: https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/\r\nhttps://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/"
	],
	"report_names": [
		"new-russian-speaking-forum-a-new-place-for-raas"
	],
	"threat_actors": [],
	"ts_created_at": 1775434476,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8c58d99cabf5ca749d99a81eb6db4826cc56c69f.pdf",
		"text": "https://archive.orkl.eu/8c58d99cabf5ca749d99a81eb6db4826cc56c69f.txt",
		"img": "https://archive.orkl.eu/8c58d99cabf5ca749d99a81eb6db4826cc56c69f.jpg"
	}
}