TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE DATA PRIVACY CYBERATTACKS & DATA BREACHES CYBERSECURITY OPERATIONS NEWS RAMP Forum Seizure Fractures Ransomware Ecosystem Researchers suggest defenders monitor how these malicious groups re-form and leverage the useful threat intel to guide their next moves. Alexander Culafi,Senior News Writer, Dark Reading February 25, 2026 3 Min Read SOURCE: ALEKSEI GORODENKOV VIA ALAMY STOCK PHOTO As one ransomware community shutters in RAMP, two more pop up to take its place. Rapid7 today published an analysis of that ransomware ecosystem after US authorities seized infrastructure tied to the notorious RAMP cybercrime forum last month. For years, RAMP has been the primary vehicle for acquiring ransomware-as-a-service (RaaS) affiliates, but the Jan. 28 interagency sting led by the FBI forced many cybercrime outfits to find a new means to sell their wares. Rapid7's Alexandra Blia and Efi Sherman in this week's blog post identified two potential forums where attackers might go next. The bigger takeaway, however, is that the cybercrime ecosystem is fragmenting, and defenders will need to adapt. "For defenders, visibility into centralized coordination is shrinking. Monitoring must evolve beyond tracking individual forums to identifying actor migration, recruitment signals, and early indicators of regrouping," the blog post read. "Disruption rarely eliminates ecosystems; it reshapes them. Organizations that adapt their intelligence strategies accordingly will be best positioned to stay ahead." Related:Why 'Call This Number' TOAD Emails Beat Gateways Raj Samani, chief scientist at Rapid7, tells Dark Reading that the current ransomware ecosystem is a "burgeoning" yet fluid one, with different groups active at different times. "We see instances where groups disappear and then return with an array of tools that victims are entirely unprepared for, such as Cl0p," he says. A Tale of Two Ransomware Forums With RAMP gone and unlikely to return (its administrator said as much), ransomware actors began discussing where to go next. While other popular hacker forums exist, a number of them, like XSS, do not allow for ransomware recruitment. One early successor has proven to be T1erOne, a closed forum started early this month that allows members to join only with proof of activity on another forum or a $450 payment. Because parts of RAMP's database leaked in the wake of the shutdown, "This structure is designed to reduce the risk of infiltration or exposure," Blia and Sherman wrote. "While closed, paid-entry forums are not new, their emergence immediately after a high-profile seizure suggests defensive adaptation. By raising financial and reputational barriers, administrators reduce infiltration risk while signaling seriousness to high-value actors," they added. "If historical patterns hold, the next phase will likely involve smaller clusters of trusted actors consolidating around vetted spaces, with recruitment occurring through referrals rather than open posts. This reduces visibility but increases operational cohesion." Related:Iran's MuddyWater Targets Orgs With Fresh Malware as Tensions Mount The forum directly advertises ransomware in an apparent attempt to fill the gap left by RAMP. Some ransomware affiliate groups have reportedly begun advertising on the forum such as Qilin and Cry0. The other prominent early forum is Rehub, which existed prior to RAMP's closure. It has been active since August of last year and has an open membership structure by comparison to T1erOne. Rapid7 researchers verified that several ransomware actors are already active on the platform; LockBit and Gentlemen have had a presence since September, while DragonForce joined the day RAMP went offline. Multiple posts advertise RaaS offerings. A Fragmented Ransomware Future After RAMP Rapid7 concluded that the future after RAMP is not one successor but a divergent path to serve different parts of the cybercrime ecosystem. Rehab exists as an easy rebound for displaced ransomware actors, while T1erOne appears to target higher value targets in a play for trust. This complicates visibility for the defender, which must now track patterns across multiple platforms and determine early RaaS recruitment signals. This recent forum activity also shows, Samani tells Dark Reading, that even as RAMP's seizure harms trust within the cybercrime community, financial incentives will overpower any need to lay low. Related:Enigma Cipher Device Still Holds Secrets for Cyber Pros "We have seen this play out so many times before," he says. "Take BreachForums and XSS, for example, where we saw another version pop up within a month after the shutdown of the first. Simply put, this demonstrates a significant economy where threat actors do not feel the risk due to the perceived anonymity provided by the online nature of these forums." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE OpenAI Operator Agent Used in Phishing Attack Demo by Alexander Culafi, Senior News Writer, Dark Reading MAR 13, 2025 THREAT INTELLIGENCE Stealthy Linux 'Auto-color' Backdoor Infests US Institutions by Elizabeth Montalbano, Contributing Writer FEB 26, 2025 THREAT INTELLIGENCE Trump Targets Krebs, Revokes SentinelOne Security Clearance by Kristina Beek, Associate Editor, Dark Reading APR 10, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson FEB 12, 2026 5 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use