U.S. Authorities Seize RAMP, a Major Ransomware Marketplace

🇺🇸United States🇷🇺Russian Federation🇨🇳China

CybersecurityLaw EnforcementCybercrime

Wed, Jan 28, 2026

InsightsWire News2026

U.S. law enforcement executed a coordinated operation to wrest control of RAMP’s web presence, cutting off the forum’s visible access points across multiple networks. The site had become a multilingual exchange where vetted participants bought, sold, and discussed ransomware, trading both code and operational advice under barriers to casual entry. That gatekeeping and paid admission helped the platform persist after other forums were disrupted, concentrating actors and material evidence in a single venue. Seizing domains and replacing site content with official notices is an immediate tactical disruption: it prevents casual use and signals law enforcement reach. But technical artifacts and human relationships that enabled attacks do not disappear with a banner on a page; threat actors typically fragment and reconstitute across alternative forums, private channels, and bespoke platforms. The real value of the operation will come from what investigators extract from seized infrastructure — user records, transactional logs, message histories and any linked identifiers that can be correlated to cryptocurrency flows and hosting resources. Turning those leads into arrests and asset recovery depends on rapid forensic analysis and international legal cooperation, particularly where components of the ecosystem are hosted or managed overseas. For defenders and incident responders, the seizure reduces one visible marketplace but likely accelerates threat actor adaptation: new marketplaces, invitation-only channels, and more encrypted or decentralized platforms will absorb displaced activity. The operation nonetheless raises the operational cost for some adversaries and offers a morale boost for public-private partnerships tracking organized cybercrime. To achieve strategic degradation of ransomware ecosystems, law enforcement will need follow-through actions — prosecutions, cross-border seizures, and disruption of associated financial pathways — rather than solely episodic domain takedowns. In short, the RAMP seizure is a meaningful disruption with measurable short-term effects and potential long-term benefits, provided authorities convert digital evidence into legal and financial actions against the networks behind the platform.

PREMIUM ANALYSIS

Read Our Expert Analysis

Create an account or login for free to unlock our expert analysis and key takeaways for this development.

By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.

Free Access

No Payment Needed

Join Thousands of Readers

Recommended for you

Cybersecurity

Ransomware Shift: Low Payouts Force Return to Encryption and Targeted Disruption

Mass data-theft campaigns have lost their profit edge as corporate resistance to paying ransoms grows, prompting ransomware operators to favor encryption and more disruptive tactics. High-profile law-enforcement seizures of prominent forums (e.g., RAMP) are adding friction for criminals but also driving them into more private, invitation-only channels.

Cybersecurity

Machine identities missing from ransomware playbooks

Enterprise ransomware playbooks commonly treat credential resets as a human-only control, leaving service accounts, API keys, tokens and certificates intact — a blind spot that accelerates lateral movement and drives recovery costs. Market shifts toward targeted, disruption-focused extortion and faster weaponization via agentic AI make that omission more dangerous: defenders must pair machine-identity governance with identity-first detection and quicker containment to blunt modern ransomware economics.

Cybersecurity

Ransomware strike at Ingram Micro exposes sensitive records of ~42,500 people

A July ransomware incident at Ingram Micro led to the theft of employment and applicant records for about 42,521 people and service outages that were largely resolved within a week. A threat actor later published roughly 3.5 TB of claimed data; the company is offering two years of identity protection while facing regulatory notification, legal exposure, and heightened supply‑chain scrutiny.

Cybersecurity

Handala: U.S. Links Hackers to Iran’s MOIS and Seizes Domains

The U.S. Justice Department publicly attributed the Handala campaign to Iran’s Ministry of Intelligence and Security, executed court-authorized seizures of four domains used to publish threats and doxed material, and paired the action with a $10,000,000 State Department reward offer — a move that reduces a visible propaganda node, preserves evidence for potential prosecutions, but also increases escalation risk amid contested attribution and strained defensive capacity.

Policy & Geopolitics

U.S. Justice Department seizes $578M in crypto tied to Chinese syndicates

The U.S. Department of Justice announced it froze and seized roughly $578 million in digital assets tied to transnational Chinese criminal groups, an enforcement action framed as a path to victim restitution. Federal tracing and seizure work — including U.S. Marshals‑led blockchain forensics coordinated with private analytics vendors — underscores both growing interagency muscle and the operational limits imposed by mixers, bridges and fast‑moving laundering chains.

Cybersecurity

Advantest Hit by Ransomware; probe ongoing

Japan’s chip-test equipment maker reported an IT intrusion on Feb. 15 and says investigators found signs of ransomware on parts of its network. The company has not confirmed data theft and is evaluating impacts for customers and employees while response teams continue containment work.

Policy & Geopolitics

Patch Rush, Penalties and Power Plays: This Week’s Cybersecurity Events

A fast-exploited Fortinet flaw and an agentic-AI vulnerability in ServiceNow forced urgent remediation, while telecoms, a university, and a logistics provider faced data and security crises that drew enforcement and public scrutiny. National agencies issued OT and zero-trust guidance and investors poured $136M into defense-focused software, highlighting shifting incentives toward resilience and regulatory accountability.

Cybersecurity

Tycoon 2FA Disrupted After Microsoft, Coinbase and Europol Action

A coordinated coalition led by Microsoft , Coinbase and Europol dismantled key infrastructure tied to Tycoon 2FA , blocking 330 domains and tracing blockchain payments to identify an alleged administrator. The disruption directly targets a major phishing-as-a-service pipeline that enabled session-token theft and MFA bypass, shifting attacker economics and prompting near-term tactical pivots.