Insider Threat Shocker: Cybersecurity Pros Indicted for Wielding ALPHV/BlackCat Ransomware

Federal Grand Jury Indicts Incident Response Manager and Ransomware Negotiator for Extorting U.S. Companies with ALPHV/BlackCat Ransomware

HIGH
November 3, 2025
4m read
RansomwareThreat ActorIncident Response

Related Entities

Other

Ryan Clifford GoldbergKevin Tyler MartinALPHV / BlackCat SygniaDigitalMint

MITRE ATT&CK Techniques

T1486Impact

Data Encrypted for Impact

T1657Impact

Financial Cryptotheft

T1078Defense Evasion

Valid Accounts

T1203Execution

Exploitation for Client Execution

Full Report

Executive Summary

A federal grand jury has indicted two cybersecurity professionals, Ryan Clifford Goldberg and Kevin Tyler Martin, on charges of conspiracy and extortion for allegedly using the ALPHV/BlackCat ransomware to attack U.S. businesses. At the time of the attacks, Goldberg was an incident response manager at cybersecurity firm Sygnia, and Martin was a ransomware negotiator at crypto broker DigitalMint. The indictment alleges they, along with an unnamed co-conspirator, targeted at least five companies and successfully extorted nearly $1.3 million from a Florida-based medical company. This case represents a profound betrayal of trust and exposes a dangerous form of insider threat, where individuals tasked with defending against cyberattacks become the perpetrators. Both men face up to 50 years in prison if convicted.

Incident Timeline

  • May 2023 - April 2025: The period during which the alleged conspiracy took place.
  • May 2023: The conspirators successfully extort nearly $1.3 million from a Florida-based medical company using ALPHV/BlackCat ransomware. Goldberg allegedly receives a $200,000 share.
  • June 17, 2025: During an interview with the FBI, Ryan Clifford Goldberg allegedly confesses to his involvement in the scheme.
  • October 2, 2025: A federal grand jury indicts Goldberg and Martin.
  • October 14, 2025: Kevin Tyler Martin is arrested and later freed on bond.

Response Actions

Both employers took swift action upon learning of the allegations. Sygnia stated that it terminated Goldberg's employment 'immediately upon learning of the situation.' DigitalMint confirmed that the co-conspirator was no longer with the company and that the criminal conduct occurred outside its corporate infrastructure, with no client data being compromised. Kevin Tyler Martin has been prohibited from working in the cybersecurity field as a condition of his release pending trial.

Technical Findings

The conspirators allegedly leveraged their insider knowledge of the ransomware ecosystem. An unnamed co-conspirator, who worked at DigitalMint with Martin, reportedly obtained an affiliate account with the ALPHV/BlackCat ransomware-as-a-service (RaaS) operation. This gave them access to the malware and infrastructure needed to launch attacks. They targeted a range of industries, including healthcare, pharmaceuticals, engineering, and manufacturing, demonstrating a clear intent to profit from their crimes. The use of their professional expertise to select victims and potentially handle negotiations represents a sophisticated abuse of their trusted positions.

Impact Assessment

The primary impact was on the victim organizations, one of which suffered a financial loss of nearly $1.3 million, in addition to operational disruption and recovery costs. However, the broader impact is the significant reputational damage to the cybersecurity incident response industry. This case undermines the trust that victim organizations place in third-party responders and negotiators. It raises critical questions about vetting, oversight, and ethical standards for professionals in sensitive cybersecurity roles. For the employers, Sygnia and DigitalMint, the incident causes immense reputational harm, despite their quick response to terminate the employees.

Lessons Learned

  • Insider Threat is a Critical Risk: Even in the cybersecurity industry, trusted insiders with privileged knowledge can pose a significant threat. This goes beyond traditional employees to include contractors and partners.
  • Vetting is Crucial: Rigorous background checks and continuous vetting for individuals in high-trust roles, such as incident response and ransom negotiation, are paramount.
  • Need for Oversight: Companies must implement strong internal controls, separation of duties, and auditing to monitor the activities of employees in sensitive positions. This includes monitoring for conflicts of interest and unauthorized use of company resources or access.

Mitigation Recommendations

  1. Enhanced Employee Screening: Implement comprehensive pre-employment and recurring background checks for all personnel in sensitive roles. This should include checks for criminal history, financial distress, and other potential motivators for criminal activity. This aligns with the principles of M1018 - User Account Management.
  2. Robust Code of Conduct and Ethics Training: Enforce a strict code of conduct and provide regular, mandatory ethics training that specifically addresses the misuse of skills, tools, and information. This relates to M1017 - User Training.
  3. Implement 'Two-Person' Rule: For highly sensitive operations like ransom negotiations or critical incident response actions, require the involvement of at least two authorized individuals to ensure oversight and prevent unilateral malicious actions.
  4. Auditing and Monitoring: Implement and regularly review audit logs for access to sensitive client information, negotiation platforms, and cryptocurrency wallets. Use D3-LAM: Local Account Monitoring to detect anomalous behavior by privileged users.

Timeline of Events

1
May 1, 2023
The conspiracy allegedly begins. A Florida medical company is attacked and pays a nearly $1.3 million ransom.
2
June 17, 2025
Ryan Clifford Goldberg allegedly confesses his involvement to the FBI.
3
October 2, 2025
A federal grand jury formally indicts Goldberg and Kevin Tyler Martin.
4
October 14, 2025
Kevin Tyler Martin is arrested.
5
November 3, 2025
This article was published

MITRE ATT&CK Mitigations

User Account Management

M1018enterprise

Implement strict controls and oversight for all user accounts, especially those with privileged access to client data and negotiation tools.

Mapped D3FEND Techniques:

D3-SCP

User Training

M1017enterprise

Implement rigorous and continuous ethics training for all employees, reinforcing the legal and professional consequences of misusing skills and access.

Audit

M1047enterprise

Conduct regular, in-depth audits of all activities performed by incident responders and negotiators to detect anomalies and conflicts of interest.

Mapped D3FEND Techniques:

D3-DAMD3-LAM

D3FEND Defensive Countermeasures

Local Account Monitoring

D3-LAMMaps to MITREM1047
D3FEND

Implement robust monitoring of all accounts within the incident response firm, particularly those with access to client environments, ransomware negotiation platforms, and cryptocurrency wallets. This involves not just logging access but analyzing behavior. Establish baselines for normal activity for each responder and negotiator. Alert on deviations, such as accessing client data outside of an active engagement, communication with known malicious infrastructure, or unusual patterns of cryptocurrency movement. This continuous monitoring serves as a detective control to identify potential insider threats before they escalate, as was alleged in the Goldberg and Martin case.

User Account Permissions

D3-UAPMaps to MITREM1015
D3FEND

Enforce strict separation of duties and the principle of least privilege within the incident response organization. For example, the individuals responsible for technical remediation should not be the same individuals handling ransom negotiations or cryptocurrency payments. Access to client systems should be time-bound to the duration of an engagement and automatically revoked afterward. By segmenting roles and permissions, a single malicious insider cannot control the entire attack lifecycle from deployment to extortion, as was allegedly done in this case. This preventative control limits the potential for abuse of trusted positions.

Sources & References

Prosecutors allege incident response pros used ALPHV/BlackCat to commit string of ransomware attacks
CyberScoop (cyberscoop.com) November 3, 2025
US Traces Ransomware Attacks to 2 People Working for Cybersecurity Firms
PCMag (pcmag.com) November 3, 2025
Former ransomware negotiators allegedly targeted US firms with ALPHV/BlackCat
Help Net Security (helpnetsecurity.com) November 4, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Insider ThreatALPHVBlackCatRansomwareIndictmentIncident ResponseCybersecurity Ethics

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next