Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum
Posted: Friday, Aug 23

i 3 Table of Contents

Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum

The sale and purchase of unauthorised access to compromised enterprise networks has become a linchpin for cybercriminal operations, particularly in facilitating ransomware attacks. Underground forums are sharing guidelines on breaching networks and selling the access they obtain, leaving the exploitation to other malicious actors.

On underground criminal forums, these transactions allow actors with complementary skills to collaborate, amplifying the impact and reach of cyberattacks. The market for such access has grown notably, especially as ransomware operators increasingly employ double-extortion tactics. A foothold in a victim’s network, with credentials that enable stealthy operations, has never been a more lucrative โ€” and popular โ€” business model.

Organisations across all sectors and regions are vulnerable and a target. The collective shift to remote work during the COVID-19 pandemic has expanded the attack surface, as more remote access tools remain in use to this day. In our 2024 Attack Intelligence Report, we noted that 36% of all widespread threat events Rapid7 tracked in 2023 involved the exploitation of network edge device vulnerabilities. This trend has continued into 2024.

In this article, we delve into a major forum frequented by ransomware actors and affiliates, called RAMP. As part of our research for the Rapid7 Ransomware Radar Report, we analysed RAMP postings offering corporate access from January 1 to June 30, 2024, uncovering four key trends within this underground marketplace.

The Forum: RAMP

Re-launched/branded in July 2021, the RAMP (Ransomware and Advanced Malware Protection) forum is an underground cybercriminal hub originally known as Payload.bin, tracing its roots back to 2012 when it first operated on the Tor network. With a primary focus on ransomware, RAMP is a multilingual platform catering to Russian, Chinese, and English speakers and boasts over 14,000 registered members. Access to RAMP is highly restricted; potential users must have been active members on the XSS and Exploit forums for at least two months, have posted at least ten times, and maintain a good reputation, or alternatively, pay a $500 registration fee for anonymity.

RAMP serves as both a forum and a marketplace, offering ransomware kits, malware, and stolen data, while also providing comprehensive guides and tutorials for cyberattacks. It facilitates ransomware-as-a-service (RaaS) operations, enabling affiliates to deploy ransomware for a share of the profits. Despite its high registration fee, a stark contrast to the $120 annual fee for premium XSS users, RAMP’s closed community is a critical resource for many threat actors. The forum’s design mimics Silk Road-like darknet markets, including escrow features, and it operates primarily off-the-record to avoid law enforcement detection. Its administrator claims an annual revenue of around $250,000, benefiting from its predominantly Russian user base and a strict policy against selling certain illegal goods and services.

Selling Access

To investigate the trends and context around the selling of access into corporate networks, we analysed all the postings on the RAMP forum from January through June 2024. Some of these posts were cross-posted on other underground forums as well. In most cases, the initial access was mentioned and/or the price asked. Where this data was not available, we classified that as โ€˜unknownโ€™ in our dataset for analysis. So what trends did we discover?

Trend #1: Country Distribution

The United States leads the pack with the highest number of entries referencing the country of the company attackers have credentials or access to, followed by France and Brazil. Companies based in Western countries command a higher price dueย to their perceived wealth and easier access to resources for payment, so what weโ€™re seeing thus far in 2024 is what would be expected. The only exception to this is Brazil, likely due to Brazilian affiliates that target larger Brazilian businesses.

Trend #2: Revenue Distribution

One of the variables that determine the asking price for network access is the revenue made by the target. Very often, sites like ZoomInfo are used to look up the annual revenue, which is then mentioned in the posting.

We observed a broad range of revenue values within the RAMP dataset, where some entries specified exact amounts and others used ranges. A significant number of entries included revenues in the millions, particularly around $5 million USD.

In fact, companies with revenues in the $5 million range appeared twice as often as those in the $30-50 million range and five times more frequently than those with a $100 million revenue. This could indicate that such companies are large enough to hold valuable data but perhaps not as well protected as larger corporations. Regardless, this finding shows that companies with $5 million in revenue are attractive targets and represents an interesting shift from access brokers only targeting the โ€œbig fish.โ€

Trend #3: Access Type Distribution

How are threat actors getting in? Our analysis shows that Remote Desktop Protocol (RDP) is the most common access type, followed by VPN, which presents a greater possibility of remaining undetected. That, in combination with the level of access (user or privileged user), demands a higher price.

RDP is often used for remote work and system management and it can be a significant vulnerability if not properly secured. The prevalence of RDP underscores the importance of securing remote access points.

As noted in our 2024 Attack Intelligence Report, missing or unenforced multi-factor authentication (MFA) gave rise to 41% of the incidents Rapid7 MDR observed in 2023. Companies should ensure robust security measures like MFA and proper network segmentation to protect RDP endpoints. Also, if we consider the combined value of VPN and such technologies, then the trend of targeting network edge devices will certainly continue.

Trend #4: Price Distribution

Many RAMP entries list unknown prices. Among the known prices, amounts like $500, $800, and $1000 are common. Company revenue, headquarter location, and the type of access are each a basis for how the threat actor formulates their asking price, which can range widely based on the perceived value of the target network. It is common for prices to spike based on the specific attributes of the target (e.g., revenue, security posture, type of data accessible).

Conclusion

Our analysis highlights key areas of concern for companies looking to protect themselves against access brokers. Businesses in the US, France, and Brazil, as well as those with revenues around $5 million, should be particularly vigilant. Securing remote access points, investing in robust solutions, and understanding the pricing dynamics of the black market for network access can help companies bolster their defenses against this pervasive threat.

By staying informed about these and other ransomware trends, businesses can better understand the risks and implement effective measures to safeguard their networks against unauthorised access.

Christiaan Beek
Christiaan Beek is a security threat expert with more than 20 yearsโ€™ experience leading and contributing to cybersecurity research, intelligence gathering, and data science. As Senior Director of Threat Analytics at Rapid7, Christiaan is leading the companyโ€™s strategic intelligence research with a focus on gathering threat data, inventing new research techniques, data correlation/visualization and publications. Before joining Rapid7, Christiaan led strategic intelligence research at Trellix/McAfee. Prior to that, he led the EMEA incident response teams at Foundstone. Christiaan contributed to the best-selling security book "Hacking Exposed," wrote a comic book about ransomware, is a contributor to the MITRE ATT&CK framework, open-source projects and holds multiple patents. Christiaan is a visionary leader who serves on security startup boards, advising these companies on strategy and technology. He also regularly speaks at industry events such as RSA, BlackHat, and BlueHat, and his expert commentary has been featured in many news outlets and prime time news shows.
Share This