Two former employees of well-known cybersecurity incident response firms Sygnia and DigitalMint have pleaded guilty to participating in BlackCat (ALPHV) ransomware attacks that targeted US companies throughout 2023.
Ryan Clifford Goldberg, 33, of Watkinsville, Georgia, and Kevin Tyler Martin, 28, of Roanoke, Texas, have pleaded guilty to conspiracy to obstruct commerce by extortion for their involvement in BlackCat ransomware attacks carried out between May and November 2023.
Goldberg, a former incident response manager at Sygnia, and Martin, a former ransomware threat negotiator at DigitalMint, acted as affiliates of the BlackCat ransomware-as-a-service (RaaS) operation. The two defendants worked alongside a third, unnamed co-conspirator to gain unauthorized access to victim networks, deploy ransomware, encrypt systems, and issue extortion demands.
In exchange for access to BlackCat’s ransomware tools and infrastructure, the defendants paid the group approximately 20% of any ransom proceeds. The pair were charged in November and are scheduled to be sentenced on March 12, 2026, each facing a maximum penalty of 20 years in prison.
BlackCat, also known as ALPHV, is one of the most prolific ransomware groups in recent years, operating under a RaaS model that allows affiliates to conduct attacks using shared malware and extortion platforms. Throughout 2023, BlackCat was responsible for high-impact attacks across multiple sectors, including healthcare, pharmaceuticals, and medical technology.
In December 2023, US law enforcement disrupted BlackCat’s operations after the FBI breached the group’s servers, monitored internal activity, and obtained decryption keys. Despite these efforts, investigations into BlackCat affiliates continued into 2024, including scrutiny of individuals with prior roles in cybersecurity and ransomware negotiation firms.
Read also: Blackcat ransomware gang behind ongoing Change Healthcare disruption
“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” said Assistant Attorney General A. Tysen Duva in a recent Department of Justice press release.
Special Agent in Charge Brett Skiles of the FBI Miami Field Office added, “Malware like ALPHV (BlackCat) ransomware is used by bad actors to steal, extort, and launder proceeds from victim businesses and organizations.”
Skiles further stated, “We strongly encourage businesses to exercise due diligence when engaging third parties for ransomware incident response, report suspicious or unethical behavior, and to expeditiously report any ransomware attack to the FBI and our law enforcement partners to safeguard their security and privacy.”
RaaS operations, such as BlackCat, rely on affiliates to carry out attacks, while the core group maintains malware, payment infrastructure, and leak sites. Affiliates are often paid a percentage of ransom proceeds, incentivizing their attacks.
“In a virtual economy where people are anonymous and real trust is hard to come by, there are plenty of opportunists trying to make money from naïve cybercriminals,” explains a Computers and Security publication on the Ransomware-as-a-Service economy within the darknet.
The publication further states, “it is important to remember that ransomware prevails as a serious threat when committed by experienced cybercriminals, and the forums may be considered a recruitment ground for their organizations.”
When individuals with direct experience in incident response and ransom negotiations misuse their access and expertise, attacks can become more targeted, damaging, and difficult to defend against. Consequently, healthcare organizations, which remain prime ransomware targets, must maintain strict access controls, continuous monitoring, and secure communication practices to limit external and insider-driven threats.
An insider threat happens when individuals with trusted access or specialized knowledge misuse that position to compromise systems, steal data, or facilitate cyberattacks.
Cyber extortion, under Title 9 of the U.S. Department of Justice Criminal Resource Manual (Section 9-48.000, Computer Fraud and Abuse Act), is the use of unauthorized access to computers or threats to damage, disrupt, or withhold access to computer systems or data to demand money or something of value.
Ransomware incidents can lead to impermissible disclosures of protected health information (PHI), causing HIPAA violations, regulatory investigations, and potential penalties.
Learn more: HIPAA Compliant Email: The Definitive Guide (2025 Update)