The recent seizure of the RAMP forum by U.S. authorities has triggered a significant restructuring of the ransomware-as-a-service (RaaS) ecosystem. For years, RAMP served as a centralized hub for recruiting affiliates and coordinating operations. Its disruption on January 28, following an interagency operation led by the FBI, has forced threat actors to migrate to alternative platforms, leading to a more fragmented and compartmentalized operating environment.
Research from Rapid7 indicates that while the centralized infrastructure of RAMP has been dismantled, the underlying activity has not ceased; it has merely redistributed. Two primary forums have emerged as successors, each representing a different operational model: T1erOne and Rehub. This shift presents a challenge for security teams, as visibility into centralized coordination is diminishing, requiring a broader approach to threat intelligence.
Divergent Paths: T1erOne and Rehub
The post-RAMP scene is defined by a split between exclusive, high-trust environments and more accessible, open marketplaces.
T1erOne has positioned itself as a closed, highly vetted community. Established shortly after RAMP’s closure, it enforces strict entry requirements to mitigate the risk of infiltration by security researchers or law enforcement. Prospective members must provide proof of activity from other reputed forums or pay a $450 registration fee. This structure suggests a defensive adaptation by threat actors, prioritizing operational security and trust over rapid scaling.
Reports indicate that T1erOne is explicitly advertising ransomware services to fill the void left by RAMP. Groups such as Qilin and Cry0 have reportedly begun using the platform for affiliate recruitment. The barriers to entry on T1erOne signal a consolidation of high-value actors into smaller, trusted clusters, making external monitoring more difficult.
Rehub, in contrast, operates with a more open membership structure. Active since August of the previous year, it has become a landing ground for displaced operators who may not meet the vetting criteria of closed groups. Rapid7 researchers have verified the presence of several established groups on the platform, including LockBit and Gentlemen. Notably, the DragonForce group established a presence on Rehub immediately following the RAMP seizure.
Operational Evolution and Coalitions
Beyond venue migration, the tactics within the ecosystem continue to evolve. Recent intelligence suggests a move toward strategic partnerships. Or "coalitions"—among major RaaS operators. LockBit and DragonForce have announced collaborative efforts to share resources and development capabilities. This cooperation aims to standardize tools and potentially aggregate data from unauthorized access events to increase leverage over affected organizations.
Speed remains a critical factor in these operations. Analysis of recent campaigns shows that automation is reducing the "breakout time", the interval between initial access and lateral movement—to as little as 18 minutes. This compression of the timeline limits the window for manual detection and response.
Implications for Defense
The fragmentation of the RaaS ecosystem requires security organizations to adapt their intelligence and response strategies. Monitoring a single centralized forum is no longer sufficient.
Intelligence Strategy Security teams should broaden their monitoring scope to track actor migration patterns and cross-platform recruitment signals. Identifying early indicators of regrouping, such as the rapid population of forums like T1erOne—allows defenders to anticipate shifts in targeting and tradecraft.
Automated Response Given the reduction in breakout times, reliance on manual intervention is increasingly risky. Organizations should implement automated containment protocols that can isolate affected segments immediately upon the detection of high-fidelity indicators.
Network Segmentation To counter the speed of lateral movement, rigorous network segmentation is essential. Limiting the "blast radius" of compromised credentials or endpoints prevents unauthorized access from propagating to critical assets.
Vulnerability Management With groups like Cl0p and Qilin focusing on zero-day vulnerabilities and supply chain exploits, prioritizing the patching of public-facing infrastructure remains a fundamental control.
While the seizure of RAMP disrupts immediate coordination, the financial incentives driving RaaS ensure the ecosystem will reorganize. By understanding these structural shifts, defenders can better position themselves to detect and mitigate emerging threats.