Two cybersecurity professionals sentenced for BlackCat ransomware attacks

Ryan Goldberg and Kevin Martin used their defensive security expertise to deploy ransomware against clients, including a medical provider, then leaked patient data when the victim refused to pay.

What happened

Two American cybersecurity professionals have been sentenced to four years each in federal prison for their roles as affiliates in the ALPHV BlackCat ransomware-as-a-service operation. According to the Department of Justice, Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, pleaded guilty in December 2025 to conspiracy to obstruct commerce by extortion. Between April and December 2023, both men used their professional knowledge of network defense to identify targets, deploy BlackCat ransomware payloads, and manage the extortion process. In one attack, they extorted approximately $1.2 million in Bitcoin from a single victim, splitting their 80% affiliate share and laundering the proceeds. A third co-defendant, Angelo Martino, pleaded guilty in April 2026 and is scheduled for sentencing on July 9.

Going deeper

Goldberg and Martin operated as affiliates within BlackCat's RaaS structure, paying a 20% cut of extorted funds to the platform's administrators in exchange for access to its malware and extortion infrastructure. According to Cyberpress, when a doctor's office hesitated to pay after being attacked, the pair leaked stolen patient data to increase pressure. Goldberg attempted to avoid capture by fleeing internationally after law enforcement closed in, leading the FBI to track him across ten countries before securing his arrest. Both men then pleaded guilty after being brought into US custody. The prosecution is part of a broader campaign against the BlackCat syndicate, which targeted more than 1,000 victims worldwide before the DOJ disrupted its core infrastructure in December 2023, when the FBI developed and distributed a decryption tool to hundreds of affected organizations, saving victims an estimated $99 million in ransom payments.

What was said

The DOJ press release stated that Goldberg and Martin "weaponized their defensive skills for malicious financial gain," noting their professional cybersecurity backgrounds made the attacks particularly severe. The DOJ described the sentences as part of a sustained enforcement campaign targeting not just ransomware developers but the affiliates who carry out attacks and the intermediaries who support them.

In the know

The Goldberg and Martin sentences occurred on the same day as the 8.5-year sentence handed to Karakurt negotiator Deniss Zolotarjovs, and all three cases share a common thread: professionals operating inside the cybersecurity and incident response ecosystem who crossed into active participation in ransomware attacks. According to BleepingComputer, the DOJ has signaled it is actively examining additional cases of alleged fraud within cybersecurity incident response firms, with more charges expected in the coming months. The three simultaneous prosecutions represent the most concentrated single-day enforcement action against ransomware-adjacent professionals in the DOJ's recent history.

The big picture

The Goldberg and Martin case adds another dimension to the insider threat facing healthcare organizations. A medical provider was attacked, its patient data was stolen, and when it declined to pay, that data was leaked by two people whose professional training was built on protecting exactly that kind of information. Healthcare organizations that engage cybersecurity consultants, incident response firms, and managed security providers extend significant trust to those vendors, including access to networks, systems, and patient data. The DOJ's willingness to prosecute ransomware affiliates who hold professional cybersecurity credentials signals that background and credentials provide no guarantee of trustworthiness. The SAG-AFTRA Health Plan settlement earlier this week and the Angelo Martino plea from April 2026 together form a pattern: the people closest to an organization's data, whether as employees, health plan administrators, or security professionals, represent a risk category that technical controls alone cannot address.

FAQs

What is a RaaS affiliate, and how do they differ from the ransomware developers?

RaaS developers build and maintain the malware and extortion platform, then lease access to affiliates who conduct the actual attacks. Affiliates identify targets, deploy the ransomware, manage victim negotiations, and pay the developers a percentage of each ransom collected. The developer earns passive income while affiliates bear the operational risk of carrying out attacks.

Why did leaking patient data make the attack worse legally?

Leaking stolen data after a victim refuses to pay shifts the harm from a threat to an actual disclosure of protected health information. For healthcare targets, that disclosure triggers HIPAA breach notification obligations, regulatory scrutiny, and potential civil liability, compounding the damage beyond the original ransom demand.

How did the FBI track Goldberg across ten countries?

The FBI used a combination of cryptocurrency tracing, communication intercepts, and international law enforcement cooperation to follow Goldberg's movements. Ransomware payments made in Bitcoin leave a traceable ledger trail that investigators can follow across wallets and exchanges, and coordination through Interpol and bilateral agreements allows the FBI to pursue suspects across jurisdictions.

What does the $99 million in saved ransoms from the BlackCat disruption represent?

When the DOJ disrupted BlackCat's infrastructure in December 2023, the FBI developed a decryption tool distributed to hundreds of affected organizations, allowing them to restore systems without paying. The $99 million figure represents the total ransoms those organizations would otherwise have paid, making it one of the largest documented law enforcement interventions in ransomware financial impact.

How should healthcare organizations vet cybersecurity vendors given this pattern of insider prosecutions?

Vendor contracts should include background check requirements, scope-of-access limitations, and audit rights. Security professionals given access to patient systems should operate under the principle of least privilege, with access logged and reviewed. Organizations should also confirm that any incident response firm holds appropriate professional liability coverage and has documented internal controls against conflicts of interest.