Two former employees of well-known cybersecurity incident response firms Sygnia and DigitalMint have pleaded guilty to participating in BlackCat (ALPHV) ransomware attacks that targeted US companies throughout 2023.
What happened
Ryan Clifford Goldberg, 33, of Watkinsville, Georgia, and Kevin Tyler Martin, 28, of Roanoke, Texas, have pleaded guilty to conspiracy to obstruct commerce by extortion for their involvement in BlackCat ransomware attacks carried out between May and November 2023.
Goldberg, a former incident response manager at Sygnia, and Martin, a former ransomware threat negotiator at DigitalMint, acted as affiliates of the BlackCat ransomware-as-a-service (RaaS) operation. The two defendants worked alongside a third, unnamed co-conspirator to gain unauthorized access to victim networks, deploy ransomware, encrypt systems, and issue extortion demands.
In exchange for access to BlackCat’s ransomware tools and infrastructure, the defendants paid the group approximately 20% of any ransom proceeds. The pair were charged in November and are scheduled to be sentenced on March 12, 2026, each facing a maximum penalty of 20 years in prison.
The backstory
BlackCat, also known as ALPHV, is one of the most prolific ransomware groups in recent years, operating under a RaaS model that allows affiliates to conduct attacks using shared malware and extortion platforms. Throughout 2023, BlackCat was responsible for high-impact attacks across multiple sectors, including healthcare, pharmaceuticals, and medical technology.
In December 2023, US law enforcement disrupted BlackCat’s operations after the FBI breached the group’s servers, monitored internal activity, and obtained decryption keys. Despite these efforts, investigations into BlackCat affiliates continued into 2024, including scrutiny of individuals with prior roles in cybersecurity and ransomware negotiation firms.
Read also: Blackcat ransomware gang behind ongoing Change Healthcare disruption
Going deeper
- Victim profile: Prosecutors allege the defendants targeted a wide range of organizations, including a Maryland pharmaceutical company, a California engineering firm, a Tampa-based medical device manufacturer, a Virginia drone manufacturer, and a California doctor’s office.
- Ransom demands: The group issued ransom demands ranging from $300,000 to $10 million per victim.
- Confirmed payment: Only one payment is confirmed in the indictment, amounting to $1.27 million, which was paid by the Tampa medical device manufacturer after its servers were encrypted in May 2023.
- Abuse of trust: Both defendants allegedly used their professional cybersecurity training to identify vulnerabilities, evade detection, and increase pressure during extortion negotiations.
What was said
“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” said Assistant Attorney General A. Tysen Duva in a recent Department of Justice press release.
Special Agent in Charge Brett Skiles of the FBI Miami Field Office added, “Malware like ALPHV (BlackCat) ransomware is used by bad actors to steal, extort, and launder proceeds from victim businesses and organizations.”
Skiles further stated, “We strongly encourage businesses to exercise due diligence when engaging third parties for ransomware incident response, report suspicious or unethical behavior, and to expeditiously report any ransomware attack to the FBI and our law enforcement partners to safeguard their security and privacy.”
By the numbers
- Ransom demands issued ranged between $300,000 to $10 million.
- $1.27 million confirmed ransom collected.
- At least $300 million in ransom payments from more than 1,000 victims before September 2023.
In the know
RaaS operations, such as BlackCat, rely on affiliates to carry out attacks, while the core group maintains malware, payment infrastructure, and leak sites. Affiliates are often paid a percentage of ransom proceeds, incentivizing their attacks.
“In a virtual economy where people are anonymous and real trust is hard to come by, there are plenty of opportunists trying to make money from naïve cybercriminals,” explains a Computers and Security publication on the Ransomware-as-a-Service economy within the darknet.
The publication further states, “it is important to remember that ransomware prevails as a serious threat when committed by experienced cybercriminals, and the forums may be considered a recruitment ground for their organizations.”
Why it matters
When individuals with direct experience in incident response and ransom negotiations misuse their access and expertise, attacks can become more targeted, damaging, and difficult to defend against. Consequently, healthcare organizations, which remain prime ransomware targets, must maintain strict access controls, continuous monitoring, and secure communication practices to limit external and insider-driven threats.
FAQs
What is an insider threat in cybersecurity?
An insider threat happens when individuals with trusted access or specialized knowledge misuse that position to compromise systems, steal data, or facilitate cyberattacks.
What is cyber extortion under US law?
Cyber extortion, under Title 9 of the U.S. Department of Justice Criminal Resource Manual (Section 9-48.000, Computer Fraud and Abuse Act), is the use of unauthorized access to computers or threats to damage, disrupt, or withhold access to computer systems or data to demand money or something of value.
How does ransomware affect HIPAA-regulated organizations?
Ransomware incidents can lead to impermissible disclosures of protected health information (PHI), causing HIPAA violations, regulatory investigations, and potential penalties.
Learn more: HIPAA Compliant Email: The Definitive Guide (2025 Update)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
