An attempt is being made to team up with Chinese attackers in a Russian-speaking, RAMP hacker forum. According to researchers from Flashpoint, high-level players and RAMP administrators are actively communicating with new forum members in machine-translated Chinese, requesting Mandarin-speaking players to participate in conversions, share suggestions, and coordinate on attacks.
America on target
The hacking forum has received at least thirty new user registrations from China, suggesting that this could be the launch of something significant.
The most likely reason, according to security experts, is that Russian hackers are seeking to build partnerships with Chinese threat actors in order to launch cyber assaults against American targets, exchange vulnerabilities, or even recruit fresh talent for their Ransomware-as-a-Service (RaaS) operations.
This initiative was launched by a RAMP admin named Kajit, who claims to have just spent time in China and speaks the language, according to a threat analyst who spoke to BleepingComputer earlier this month. He indicated in a previous version of RAMP that he’d invite Chinese attackers to the forum, which appears to be befalling now.
However, Russian hackers attempting to interact with Chinese attackers isn’t confined to the RAMP hacking community as Flashpoint researchers have also observed similar collaboration on the XSS hacking forum.
“In October, an XSS user replied to a thread with a Chinese-language ad looking for partners in a ransomware operation. Furthermore, in the wake of BlackMatter’s shutdown, the spokesperson of LockBit invited BlackMatter’s affiliates to move to China where the LockBit spokesperson claimed to be residing.”
In the screenshot, XSS user “hoffman” greets two forum members who revealed themselves as Chinese. The threat actor asks them if they could provide information about ransomware and purchasing various kinds of system vulnerabilities. The language seems to be machine-translated Chinese,” explains the new research by Flashpoint.
Last month, 'Orange' or 'boriselcin', RAMP admin who ran the "Groove" site, issued a post encouraging attackers to target the United States. After the media picked up on the story, the Groove actor claimed that the operation was fake from the beginning and was launched to troll and manipulate the media and security experts.
RAMP, a Russian-language forum emerged as recently as July this year and has garnered a lot of interest from researchers and cybercriminals alike. RAMP, named as a tribute to the now-defunct Russian drug marketplace, actually stands for Ransom Anon Market Place and is hosted on the same domain that previously hosted the Babuk ransomware data leak site and then the Payload.bin.