1. Overview
This dataset is a large export of private messages from the underground cybercrime forum RAMP, covering roughly late 2021 to mid‑2022. The conversation is largely in Russian (with English interspersed), and involves:
- The original administrator “admin” (KAJIT).
- The user “Stallman”, who evolves from:
- A buyer of US government‑related network accesses and ransomware operator,
- to the forum’s primary guarantor (escrow),
- and ultimately to the sole owner and administrator of RAMP.
- Multiple moderators, coders, access brokers, ransomware operators, and buyers/sellers of tools, exploits, and data.
The messages chronicle:
1. RAMP’s positioning as a ransomware‑friendly forum in contrast to other boards (Exploit, XSS, Damage) that ban ransomware.
2. The transition of power from the founding admin KAJIT to Stallman.
3. The institutionalization of:
- Vetting of users and anti‑researcher measures,
- A formal escrow (guarantor) system for high‑value deals,
- A paid moderation team with defined roles,
- A marketing and monetization strategy (ads, paid registrations).
It also reveals the human dimension of this ecosystem: trust, mentorship, conflict, depression, and burnout among key actors.
In‑Depth Summary
2. RAMP Under the Original Admin (“KAJIT”)
2.1 Ransomware‑centric Positioning
From the start, the admin (KAJIT) frames RAMP as:
- A forum that explicitly allows ransomware, unlike leading Russian‑language boards such as Exploit or Damage.
- A place where access sales and ransomware operations are central and legitimate.
He rejects the “idiotic bans” on ransomware seen on other forums and wants RAMP to be the go‑to place for RaaS and related activity, with limited restrictions (porn and drugs are not allowed).
2.2 Recruiting and Training a Hacking Crew
- A user, drhack0000, writes a long message explaining:
- He is a CCNA student.
- He cannot find effective learning resources to move from theory to practical skills in DDoS, web hacking, stealers, RATs, and ransomware.
- He wants to master at least one of these domains under guidance.
- Admin’s response:
- He is assembling a small team of three people who will hack networks for him.
- He promises to teach them personally.
- He asks for the user’s Tox ID and later confirms adding him.
This shows an early attempt to create a semi‑closed crew around the admin, combining mentorship with operational tasks (network intrusions, ransomware).
2.3 Technical Cooperation and Access Brokering
The admin receives and coordinates offers from various technical actors:
- chaindel offers:
- A working ProxyShell exploit on live targets.
- To deploy the admin’s “bacon” (beacon) onto these accessible systems so that the admin can take over.
- Admin replies:
- He has a script that automatically uploads payloads, so a human is not needed for that step.
- He encourages chaindel to improve his skillset.
- igora asks for:
- BlackMatter ransomware replacements and general locker recommendations, complaining about limited feature sets in other options.
- Admin suggests Hive as a “good one”.
In these interactions, the admin plays the role of technical authority and operator, guiding others on both tooling (ransomware choice) and tactics (automated deployment of beacons/exploits).
2.4 Relations with Other Forums and Groups
The messages reference:
- Other established Russian‑language forums:
- Exploit, XSS (xss.is), and Damage.
- Known ransomware groups:
- Yanluowang:
- User devulz asks if the admin knows this group and how to contact them.
- The admin confirms that he has communicated with them.
- Admin stresses RAMP’s distinctiveness:
- No broad bans on ransomware or accesses.
- Fewer content restrictions than mainstream Russian boards.
This positions RAMP as a niche platform aligned with ransomware groups and access brokers, while still interacting with the broader underground forum ecosystem.
3. The “Honey” Relationship: Personal and Operational Alliance
A significant thread centers on “honey” (also visible elsewhere as “Meow2”):
- Role and activities:
- Engaged in ransomware operations, often on European and US networks.
- Mentions:
- Locking “Frenchies” on Friday nights.
- Using Babuk ransomware.
- Holding German university and US health networks with ESXi.
- Asking for help with CME, Metasploit, privilege escalation, and dsquery.
- Requests new lockers and mentions waiting for the admin’s own planned ransomware.
- Tone and emotional content:
- honey repeatedly says he misses the admin and fears something bad might have happened when he is silent.
- He describes:
- Insomnia and substance use (“did some lines yesterday”).
- Feelings of uselessness when the admin is inactive.
- Thoughts of leaving the “underworld” entirely.
- There’s banter about visiting Ibiza, “banging bitches”, and spending money.
- Admin (KAJIT)/later Stallman:
- Reassures honey periodically: “np bro, all fine”.
- Provides updated contact handles (Tox/Jabber).
- Accepts or rejects some operational requests (e.g., lockers, beacons).
This relationship illustrates how ransomware operations are intertwined with close personal bonds, emotional dependence, and psychological stress.
4. Emergence of Stallman as a Specialist Buyer and Ransomware Operator
4.1 Initial Role: Buyer of US Government Accesses
Stallman appears initially as a regular user with a specific niche:
- He states clearly:
- His specialty is US government accesses (gov networks in the US).
- He maintains his own private cryptolocker (ransomware).
- He invites brokers to come directly to him with:
- US city administrations, social service agencies, PDs (police departments), hospitals, and other public sector targets.
Several users respond by offering:
- Accesses to US networks (e.g., social service agencies, YMCAs, universities, social services).
- He consistently:
- Asks for screenshots from inside the networks (shares, domain structure, ESXi hosts).
- Negotiates price down if targets are not aligned with his ideal profile (e.g., from $800 to $500 for certain non‑optimal nets).
- Rejects targets that don’t meet criteria (e.g., not sufficiently “governmental” or strategic).
This frames Stallman as a buyer focused on monetizing specific US public‑sector infrastructures via ransomware.
4.2 Refusal to Release His Locker
When some users try to barter access or payloads for Stallman’s private ransomware, he draws a clear line:
- He states he does not share his locker with unknown people.
- His cryptolocker remains a strictly private tool, reinforcing his desire to keep a competitive edge and limit distribution risk.
5. Stallman as Guarantor (Escrow)
As activity on RAMP grows, Stallman evolves into the central guarantor (escrow) for high‑value deals.
5.1 Large Software / Exploit Deals
Two emblematic deals show his method:
5.1.1 Cobalt Strike 4.4/4.5 + Kits (johndoe vs. Mafia)
- Product:
- Cobalt Strike 4.4 and 4.5 (original and cracked).
- Additional kits (Artifact Kit, Mimikatz Kit, Sleep Mask, possibly more).
- Price:
- Initially discussed around $3000, eventually negotiated to $8000.
- Stallman’s protocol:
- Creates a formal written deal describing:
- Parties involved.
- Exact products to be delivered.
- Total price and his 5% escrow fee.
- His BTC address for the main payment and a separate one for his fee.
- Buyer sends the agreed amount; Stallman confirms receipt.
- Issue:
- Buyer cannot get the tools to run properly on Kali Linux.
- Seller recommends switching to Ubuntu, where his setups are tested.
- Resolution:
- After negotiation, both agree on:
- Partial refund: $5000 returned to the buyer; $3000 kept by the seller.
- Stallman:
- Computes exact BTC amounts.
- Confirms destination wallets with each party.
- Executes transfers and posts transaction IDs.
- He then requests public reviews of his guarantor service in the appropriate thread on RAMP.
This demonstrates a professionalized escrow process: clear documentation, funds freezing, dispute handling, and final settlement.
5.1.2 SonicWall SSL VPN Exploit + Panel + Dork (eliotto vs. Whop‑Whop)
- Product:
- Private exploit for SonicWall SSL VPN.
- Exploit panel and scanning “dork”.
- Seller claims the dork yields 100,000 vulnerable hosts.
- Deal structure:
- Price: ~0.20582992 BTC (~$9,000 at the time).
- Stallman charges a 5% fee.
- Buyer pays to Stallman’s escrow wallet.
- Issue:
- Buyer’s tests show:
- Only ~30,000 hosts in the panel.
- Many inert, down, or honeypot‑like hosts.
- Exploit not working as reliably as advertised.
- Buyer claims significant overstatement and demands relief or cancellation.
- Stallman’s actions:
- Freezes funds, instructs both sides to:
- Keep logs.
- Engage in direct discussion.
- Encourages them toward a compromise.
- Outcome:
- They eventually agree:
- Seller keeps ~$3000 equivalent.
- Remaining amount returned to buyer.
- Stallman reiterates:
- Amounts and addresses.
- Sends the BTC and posts the transaction proof.
- Again, he asks both parties to review his escrow.
This solidifies Stallman’s reputation as a neutral, rules‑based arbiter of complex, high‑value software disputes.
5.2 General Escrow Practices
Beyond these flagship cases, Stallman:
- Runs many smaller escrows.
- Publishes how‑to instructions for using his guarantor service.
- Consistently:
- Documents deal terms.
- Holds funds until confirmation.
- Demands proof (e.g., logs, screenshots, test results) in disputes.
By the time he becomes admin, Stallman is widely trusted as guarantor, especially for expensive malware/exploit sales.
6. Transition of Power: Stallman Becomes Sole Owner/Admin
6.1 Departure of the Original Admin and Support
Over time:
- KAJIT/admin becomes less active and more constrained, reportedly due to FSB (Russian security service) interest.
- A separate key figure, Support (the infrastructure engineer), provides a long message stating:
- He built the:
- Containerized architecture for RAMP.
- Blog, Jabber, and other services.
- Backups and automated scripts.
- He is leaving due to “disgusting movements” in the project (internal disagreements).
- He offers:
- Paid technical assistance to Stallman in the future (e.g., server migration).
- Advice on:
- Cheaper hardware (the current server is over‑sized and expensive).
- Proper log rotation and backups.
- Thematic redesign to make the forum look more “gaming‑like” externally.
Following this, Stallman states explicitly:
- He acquired the forum from the previous administration.
- He is now the only owner.
- The earlier parts of conversations (e.g., with some users) involved another person using the “admin” account, who is now banned.
- “It’s the same Stallman here now” — unifying his identity between the “Stallman” user and the admin account.
6.2 Immediate Administrative Priorities
Post‑transition, Stallman focuses on:
1. Security & Vetting
- He sees researchers, journalists, and security people as existential threats.
- He wants a strict filtering system for new users.
2. Reputation Management
- Opposed to RAMP becoming a “trash heap” where public tools or pirated courses are resold as “private”.
- Insists on:
- Original or at least practically useful content.
- Avoiding obvious scammy offers (e.g., “dox service” leaking admins’ info).
3. Resolving Legacy Issues
- CheckZilla: proves he paid $1500 for a 3‑month banner under prior admin.
- Stallman confirms the payment and reinstates the banner for remaining time.
- Lost accounts and 2FA: Stallman personally verifies identities via Exploit/XSS PMs before resetting credentials.
4. Rebuilding the Moderator Team
- Reassesses existing moderators.
- Removes or sidelines those perceived as incompetent or suspicious.
- Plans a small, tight, paid staff with clear tasking.
7. Building a Controlled Ecosystem: Moderators, Vetting, and Rules
7.1 Core Moderators and Their Roles
- Nowheretogo / kikersback:
- Primary registration gatekeeper:
- Reviews new user applications.
- Requires links to existing profiles on Exploit and XSS.
- Confirms identity by PM on those forums.
- Acts as:
- Curator of content (especially technical, non‑trivial material).
- Tester of new tools (malware, RATs, exploit packages) before listing.
- Advisor on marketing (e.g., ad strategy on WWH‑CLUB, future certificate system).
- Receives a monthly salary:
- Starts around $250/month.
- Receives an additional $250 in one instance as both apology and incentive.
- sHBKm15 / ChinaRules:
- Moderator for Chinese‑language sections.
- Helps with structural adjustments:
- Creation of a SQL Injection subforum at Chinese users’ request.
- Responds quickly to small admin tasks:
- Bans specific users on request.
- Clarifies local user issues.
- chaindel:
- Moderator and promoter:
- Actively advertises RAMP through Telegram infosec chats.
- Posts copied content (articles, tools, dumps) from other forums to seed activity.
- Receives $200/month salary for this combined technical/marketing work.
- Other candidates:
- Users like blackswan, michael, Palooza show interest in moderation or vetting:
- Offering to identify “researchers”, scammers, or spies.
- Palooza claims to know at least one spy among old moderators.
Stallman insists that moderators:
- Be personally known or at least strongly vouched for.
- Maintain activity and reliability (he complains when some are absent for weeks).
- Help filter and organize the content, making the forum appear more professional and selective.
7.2 Rigid Registration and Anti‑Researcher Policy
Stallman gradually tightens registration:
1. Baseline rule:
- New registration must include a link to an Exploit or XSS profile.
- Later, Stallman prefers requiring both; though exceptions remain.
2. Process:
- Applicants send their forum handles on Exploit/XSS.
- Moderator (usually Nowheretogo) sends PMs on those external forums to verify:
- Ownership of the profile.
- Some baseline level of activity (not a fresh or empty account).
3. Paid registration:
- For users without acceptable references:
- Stallman plans paid entry at ~$500 per account.
- Funds go to a dedicated BTC wallet managed by a moderator.
- Contact handles (Tox/Jabber) of moderators are to be published to coordinate such registrations.
4. Researcher hostility:
- Stallman frequently emphasizes:
- Need to keep out “journalists”, “analysts”, “researchers”.
- Candidates who appear too “OSINT‑ish” or who over‑expose themselves publicly are flagged and often rejected.
This system is meant to make RAMP a semi‑closed, reputation‑gated community, mitigating infiltration risk while still growing.
8. Forum Content Strategy, Marketing, and Monetization
8.1 Content and Section Structure
Stallman encourages:
- Sales of:
- Ransomware (lockers, panels, builders).
- Accesses (RDP, VPN, vCenter, Gitlab, F5, log4j, ProxyShell).
- Exploit code, malware, stealers, RATs, bots, spam tools.
- But bans:
- Pornographic content.
- Drug‑related content.
He reorganizes sections:
- Adds an SQL Injection section under database/leakage.
- Supports threads for:
- Training materials, but checks for originality (e.g., “Дождь” selling courses must prove that content is not just public junk).
- Exploit sales (e.g., InstallerFileTakeOver, SonicWall, etc.).
- Ransomware operations (dedicated subforums for affiliates and initial access brokers).
He also signals interest in:
- Commissioning high‑quality technical articles from experienced Chinese pentesters, reversers, and coders.
- Possibly creating a certification or “elite tier” for verified professionals in the future.
8.2 External Promotion and Banner Advertising
RAMP considers external advertising:
- Targets:
- Carding forums (e.g., WWH‑CLUB, club2card).
- Other specialized boards where:
- Carders.
- Log sellers.
- Inject authors.
- Net access traders.
- Already congregate.
- Debates and challenges:
- Some Russian forums disallow explicit ransomware ads.
- Moderator Nowheretogo is concerned that a banner reading “forum where ransomware is allowed” might be blocked.
- Stallman:
- Wants to emphasize ransomware explicitly as RAMP’s differentiator.
- But is open to nuanced wording if needed for ad acceptance.
- Negotiation strategy:
- Nowheretogo has personal contacts among WWH moderators.
- He is tasked with:
- Obtaining ad price lists.
- Negotiating the content of banners or text threads.
- Stallman insists any communication should be about RAMP as a long‑term niche project, not a short‑lived scam.
8.3 Future Monetization: Certificates and Paid Entry
Stallman, advised by Nowheretogo, contemplates:
- A mid‑/long‑term shift towards:
- Paid certificates to access certain privileged sections (resembling the old “Maza” forum model).
- A tiered system where:
- Public parts are open to vetted users.
- High‑value markets (exploits, ransomware, big corporate access) require a paid certificate and stricter vetting.
- He evaluates the potential when RAMP reaches ~100,000 users and has a stable core of professionals.
In the short term, immediate monetization is:
- Paid registrations for unreferenced users.
- Banner ads (already sold under previous admin).
- Possible internal marketplace modules (with ratings and reviews) for automated transactions.
9. Internal Tensions, Conflicts, and Psychological Strain
9.1 Technical and Financial Strains
- Server costs:
- The initial server (16 cores, 32 GB RAM) is expensive and over‑dimensioned.
- Some ancillary services (blog, Jabber, Rocket.Chat) go offline due to non‑payment.
- Stallman is advised to:
- Migrate to cheaper infrastructure.
- Maintain security (iptables, log cleaning, backups) after the old admin staff leaves.
- Moderator compensation:
- Stallman’s monthly payments to moderators put additional pressure on finances.
- Moderators express appreciation but also hint at personal financial strain.
9.2 User Deletions and Moral Ambivalence
Several users request:
- Full account deletion for OPSEC reasons or due to regret.
- Some express moral doubt or fatigue about continued cybercrime involvement.
Stallman or moderators usually comply but are sometimes wary of potential entrapment or investigation triggers.
9.3 Reputation Attacks from Other Forums
- On XSS, some users and moderators reportedly:
- Mock RAMP’s admin(s).
- Accuse the project of incompetence or being unsafe.
- Some RAMP users (e.g., J4RV15) voice anger about such attacks, emphasizing:
- RAMP helped them learn and develop skills.
- Criticism is, in their view, unfair.
Stallman’s response:
- Publicly downplays the criticism (“We’ll show by actions, not words”).
- Privately is clearly sensitive to RAMP’s image, especially regarding:
- Quality of content.
- Seriousness of the escrow system.
- Absence of “trash” or open scams.
10. Synthesis: From Personality‑Driven Forum to Structured Ransomware Marketplace
Taken together, the conversation tracks RAMP’s evolution through three major phases:
1. Founding and Early Growth under KAJIT
- Strong focus on ransomware operations and trainers for a small hacking team.
- Close alliances with operators like honey.
- Technical experimentation with exploits, lockers, and network intrusions.
- Loose structure: moderation and escrow systems not yet formalized.
2. Rise of Stallman as Guarantor and Power Broker
- Stallman emerges as:
- A specialist buyer of US government and public sector accesses.
- A ransomware operator with a private cryptolocker.
- The principal escrow agent, managing large‑ticket sales and disputes.
- His careful handling of the Cobalt Strike and SonicWall exploit deals greatly enhances his trust and status.
3. Consolidation Under Stallman as Sole Owner/Admin
- With KA JIT’s exit (under apparent law‑enforcement pressure) and Support’s departure, Stallman assumes full administrative control.
- He:
- Rebuilds the moderation team around a few trusted users.
- Implements strict vetting and anti‑researcher policies.
- Establishes paid roles and expectations for moderators.
- Clarifies and enforces market rules (allowed/forbidden content).
- Develops a marketing and monetization strategy (ads, paid registrations, potential certificate system).
- RAMP transitions from a somewhat improvised ransomware hub into a more structured, professionally run underground marketplace, centered on ransomware, exploitation, and high‑value network access trade.
Throughout, the conversation underscores that this criminal ecosystem is highly social and trust‑dependent: personal bonds, emotional ties, reputation management, and careful conflict resolution are as important as technical skill and infrastructure.
No comments:
Post a Comment