Prosecutors allege incident response pros used ALPHV/BlackCat to commit string of ransomware attacks

Federal prosecutors have charged three cybersecurity professionals who allegedly exploited their positions to carry out a series of ransomware attacks against at least five U.S. companies in 2023. The accused — Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed co-conspirator — reportedly used ALPHV, also known as BlackCat ransomware, to target several organizations while still employed in incident response and ransomware negotiation roles. Goldberg was a director of incident response at Sygnia Cybersecurity Services, and Martin was a ransomware negotiator at DigitalMint. The third conspirator, also linked to DigitalMint, allegedly obtained an affiliate account on the ALPHV ransomware platform. Prosecutors say the conspiracy stretched from May 2023 through April 2025. The victims included a Florida-based medical company, a Maryland pharmaceutical firm, a California doctor’s office, a California engineering company, and a drone manufacturer in Virginia. While the trio successfully extorted nearly $1.3 million from the medical company in May 2023, attempts to rake in payments from the other victims reportedly failed. Sygnia confirmed Goldberg’s former employment and said he was immediately terminated upon discovery of the allegations. DigitalMint also acknowledged that a former employee was indicted for organizing ransomware attacks but noted that the criminal acts took place outside the company’s systems and that no client data was compromised. Neither company detailed how or when they learned of the employees’ misconduct. ALPHV/BlackCat ransomware has been notorious since its emergence in late 2021, associated with numerous attacks, particularly within the healthcare sector. The ransomware group claimed responsibility for the 2022 attack on Change Healthcare, a UnitedHealth Group subsidiary, which resulted in a $22 million ransom payout and exposed data of around 190 million people. The recent indictments, unsealed in the U.S. District Court for the Southern District of Florida, accuse Goldberg and Martin of conspiring to interfere with commerce by extortion and intentionally damaging protected computers. Goldberg was arrested on September 22 and remains in custody due to flight risk after allegedly fleeing to Europe in June 2023 and later being arrested in Mexico City. He reportedly confessed to the FBI that he was recruited by the unnamed co-conspirator to conduct ransomware attacks to pay off debt, receiving roughly $200,000 from the ransom paid by the medical company. Martin was arrested later in October, released on bail, pleaded not guilty, and is barred from working in cybersecurity pending trial. Both men face potential sentences of up to 50 years in federal prison. The case exposes a disturbing breach of trust within the cybersecurity community, where individuals tasked with defending companies from ransomware attacks instead exploited vulnerabilities for personal gain. It also raises concerns about insider threats in cybersecurity firms and the need for stronger oversight and monitoring mechanisms. As ransomware continues to evolve and target critical infrastructure and healthcare sectors, incidents like this highlight the complexity of combating cybercrime and the importance of rigorous employee vetting and continuous behavioral monitoring within security teams.