Co-conspirators sentenced for $75.M scheme in ransom negotiator case

As the BlackCat ransomware negotiator case moves toward its final sentencing, new details have emerged about the full scale of the scheme and what it means for healthcare organizations that rely on third-party incident response firms.

What happened

Angelo Martino, a ransomware negotiator who worked with companies in the retail, hospitality, and medical sectors, has pleaded guilty to a felony charge after federal prosecutors alleged he secretly collaborated with a cybercriminal gang to maximize ransom payments from his own clients and collect a share of the proceeds. According to CNN, Martino accumulated at least $10 million in assets, including a luxury fishing boat and two properties, while working in one of cybersecurity's most sensitive roles. Two co-defendants, Kevin Tyler Martin and Ryan Clifford Goldberg, have also pleaded guilty. All three are accused of deploying ransomware on victim computers, the same activity they were hired to prevent. After extorting one victim for $1.2 million, the three men split the Bitcoin payment three ways. With Martino's assistance, the cybercriminal gang secured ransom payments of $25 million or more from a nonprofit and a financial services firm. Martino and Martin worked for DigitalMint, an Illinois-based firm that helps victims recover from ransomware attacks. DigitalMint said it immediately terminated both men after learning of the allegations and stated it had no prior knowledge of their criminal activity.

Going deeper

According to the U.S. Department of Justice, Martino negotiated on behalf of five ransomware victims. Martino would then provide confidential information to BlackCat about his client's negotiating strategies, including information about the victim's insurance policy limits. This information helped BlackCat determine the best way to continue ransomware negotiations. All five of the negotiations Martino assisted in resulted in a ransom being paid. Across all victims connected to the scheme, total ransom payments reached $75.3 million. Martino was compensated for providing this information to BlackCat.

Martino, alongside Goldberg and Martin, also helped deploy BlackCat ransomware between April 2023 and November 2023. Goldberg, realizing he was under investigation, fled the country and traveled through 10 countries before the FBI tracked him down in Mexico City and returned him to the United States.

Martino's conduct exploited a structural vulnerability that ransomware operators have long sought to create. Ransomware groups have a documented history of attempting to build direct relationships with negotiation firms and developing mechanisms that allow unethical intermediaries to profit from ransom payments without victims having visibility into the arrangement.

What was said

A senior Justice Department official told CNN that "in working on ransomware for many years, we were hearing rumors of misconduct, and I wasn't shocked that we ended up with a case with these types of charged facts." Magnus Jelen, an executive at incident response firm Coveware, stated that "ransomware threat actors have a long and well-documented history of attempting to build direct relationships with negotiation firms," and that "when these incentive structures operate out of sight, it is the victims who bear the consequences. Organizations end up paying ransoms that might otherwise have been avoided, further fueling the cyber extortion economy and reinforcing a cycle that puts more businesses at risk." DigitalMint said in a statement that "the actions of Martino and his co-conspirators, unknown to the company, were in clear violation of the company's values, ethical standards, and the law."

In the know

On April 30, 2026, co-conspirators Ryan Goldberg and Kevin Martin were each sentenced to four years in federal prison for their roles in the BlackCat ransomware scheme. Martino is scheduled to be sentenced on July 9, 2026, and faces a maximum penalty of 20 years in prison.

The case has prompted at least one firm to restructure how it handles ransom payment engagements. Coveware announced it no longer charges any processing fee for clients who choose to pay ransoms, with Magnus Jelen stating that "advice on ransom payments must be completely objective and free from incentive bias." The Justice Department's acknowledgment that it has examined at least one other unrelated fraud case in the cybersecurity incident response space signals that the Martino prosecution is not viewed as an isolated incident. Federal officials have long relied on close relationships with private cybersecurity firms to gather intelligence, compare notes, and assist in taking down criminal infrastructure, and the Martino case puts direct pressure on the trust that underpins those relationships.

The big picture

Healthcare organizations are among the most frequent targets of ransomware and among the most likely to engage third-party negotiators when an attack occurs. The Martino case establishes that the selection of a ransomware negotiator carries its own risk and that fee structures tied to ransom outcomes create incentive misalignment that attackers have actively exploited. According to Paubox's 2026 Healthcare Email Security Report, ransomware attacks on healthcare organizations have surged 264% since 2018, and the FBI's 2025 Internet Crime Report named healthcare the most targeted critical infrastructure sector. Each ransomware incident that reaches the negotiation stage represents a decision point where healthcare organizations are placing trust in a third party under extreme time pressure and with limited ability to verify that party's conduct. The Martino case demonstrates that verification failure at that stage can result in inflated ransom payments that directly fund the criminal groups responsible for future attacks on other healthcare organizations.

FAQs

What is a ransomware negotiator, and what do they typically do?

A ransomware negotiator is a third-party specialist hired by a victim organization to communicate with attackers, assess ransom demands, and advise on whether and how much to pay. They use knowledge of attacker behavior and prior cases to negotiate demand reductions and manage the process of obtaining decryption keys once a payment is made.

How did Martino's arrangement with the attackers work?

Prosecutors allege Martino shared his clients' negotiating positions with the criminal gang, allowing attackers to hold firm or escalate demands with full knowledge of how much the victim was willing to pay. Martino then received a portion of the resulting ransom payments as compensation for that intelligence.

What should healthcare organizations look for when selecting a ransomware negotiator?

Organizations should verify that the firm's fee structure has no component tied to the size of the ransom paid, request references from prior clients, and confirm the firm has no financial relationship with any ransomware group or cryptocurrency processing service that benefits from payment volume. Engaging legal counsel to review the engagement terms before an incident occurs is preferable to making that selection under attack pressure.

Why does a fee tied to the ransom outcome create a conflict of interest?

A negotiator whose compensation increases with the ransom paid has a financial incentive to allow demands to remain high rather than negotiate them down. Even without deliberate collusion, that structure produces advice that may not be in the victim's best interest, and as the Martino case shows, it creates an opening that ransomware operators have specifically sought to exploit.

What does this case mean for healthcare organizations that have already used a third-party negotiator?

Organizations that engaged a ransomware negotiator in a past incident should review the fee structure of that engagement and assess whether the advice received was consistent with minimizing the ransom paid. If there are concerns about the integrity of a prior negotiation, legal counsel should be consulted about potential remedies and whether disclosure obligations apply.