Two US Cybersecurity Professionals Plead Guilty to BlackCat Ransomware Attacks: The Insider Threat That Shook the Industry

Two American cybersecurity professionals have pleaded guilty to conducting ransomware attacks against multiple US companies using the notorious BlackCat/ALPHV ransomware. The case represents one of the most significant insider threat incidents in recent cybersecurity history.

The Defendants: Trusted Experts Turned Criminals

Ryan Clifford Goldberg, 40, of Georgia, served as an incident response manager at Sygnia, a prominent cybersecurity firm specializing in helping organizations recover from cyberattacks. Kevin Tyler Martin, 36, of Texas, worked as a ransomware threat negotiator at DigitalMint, a company that assists ransomware victims in negotiating with attackers.

Both men possessed specialized skills in securing computer systems - the exact same expertise they weaponized against their victims.

According to the Department of Justice, Goldberg and Martin, along with an unnamed co-conspirator also employed in the cybersecurity industry, successfully deployed BlackCat ransomware against multiple US-based organizations between April and December 2023.

"All three men worked in the cybersecurity industry - meaning that they had special skills and experience in securing computer systems against harm, including the type of harm they themselves were committing against the victims in this case," stated the DOJ press release.

The Attack Campaign

The trio operated as affiliates within the BlackCat ransomware-as-a-service ecosystem. Under this model, they agreed to pay the ALPHV/BlackCat administrators a 20% share of any ransoms collected in exchange for access to the ransomware and the group's extortion platform.

Between May and November 2023, the defendants targeted five US companies across multiple sectors with escalating ransom demands:

• A Florida-based medical device company: $10 million demanded, approximately $1.27 million paid
• A Maryland pharmaceutical firm: Unspecified amount demanded
• A California doctor's office: $5 million demanded
• A California engineering company: $1 million demanded
• A Virginia drone manufacturer: $300,000 demanded

Only the medical device company paid the ransom. The three conspirators split their 80% share of the $1.27 million payment and laundered the proceeds through cryptocurrency mixers and multiple wallets to obscure the funds' origins.

The Investigation and Arrest

The FBI's investigation revealed the extent of the operation through cryptocurrency tracing and digital forensics. According to an FBI affidavit filed in September 2025, the scheme ran until April 2025.

When Goldberg learned that the FBI had raided a co-conspirator's residence, he fled to Paris with his wife. He was subsequently apprehended and returned to the United States.

During his confession to the FBI, Goldberg claimed that debt drove him to join the criminal operation. He admitted being recruited by an unnamed co-conspirator to "ransom some companies" as a solution to his financial problems. He later expressed fear of life imprisonment upon realizing the severity of the charges.

DigitalMint responded swiftly to the allegations, denying any organizational misconduct, terminating both implicated employees, and cooperating fully with federal investigators.

Guilty Pleas and Sentencing

Both Goldberg and Martin pleaded guilty to conspiracy to commit extortion. Each defendant faces up to 20 years in federal prison, with sentencing scheduled for March 12, 2026.

The charges carry a maximum combined sentence of up to 50 years, reflecting the severity of using specialized cybersecurity expertise for criminal purposes.

"Ransomware is not just a foreign threat - it can come from inside our own borders," said US Attorney Jason A. Reding Quiñones for the Southern District of Florida. "Goldberg and Martin used trusted access and technical skill to extort American victims and profit from digital coercion. Their guilty pleas make clear that cybercriminals operating from within the United States will be found, prosecuted, and held to account."

BlackCat: One of History's Most Destructive Ransomware Operations

BlackCat, also known as ALPHV, emerged in November 2021 and quickly became one of the most prolific ransomware operations in history. The group is believed to have evolved from previous ransomware operations including DarkSide, REvil, and BlackMatter, carrying forward experienced operators and refined techniques.

Key BlackCat statistics illustrate the operation's devastating impact:

• Over 1,000 victims compromised worldwide
• $395 million in total ransoms collected (highest of any group 2022-2024)
• $22 million ransom from Change Healthcare (largest healthcare breach in US history)
• $15 million ransom from Caesars Entertainment
• $100 million financial impact on MGM Resorts
• Attacks across healthcare, government, defense contractors, and critical infrastructure

The FBI disrupted BlackCat's infrastructure in December 2023, seizing websites and releasing decryption tools that saved victims approximately $99 million in potential ransom payments. However, the group continued operating under various guises until an apparent exit scam following the Change Healthcare payment in early 2024.

The US State Department currently offers up to $10 million for information leading to the identification of BlackCat leadership, plus an additional $5 million for tips on affiliates.

The Growing Insider Threat

This case highlights a disturbing trend in cybersecurity: the weaponization of insider knowledge. Professionals with legitimate defensive expertise represent an acute risk when they turn criminal.

The defendants possessed intimate knowledge of:

• How organizations detect and respond to ransomware
• Common security tool weaknesses and blind spots
• Negotiation tactics used by victims
• Cryptocurrency laundering techniques
• Legal and regulatory pressures that motivate ransom payments

"The FBI remains committed to working alongside its law enforcement partners to disrupt and dismantle criminal enterprises involved in ransomware attacks and to hold accountable not only the perpetrators but also anyone who knowingly enables or profits from them," said Special Agent in Charge Brett Skiles of the FBI Miami Field Office.

The case also raises uncomfortable questions for the cybersecurity industry about vetting, monitoring, and the potential for trusted insiders to exploit their positions.

Implications for the Industry

Security professionals and organizations should consider several lessons from this case:

Enhanced vetting for sensitive roles. Incident response and ransomware negotiation positions require access to highly sensitive information about victims' security postures, financial constraints, and decision-making processes.

Continuous monitoring of privileged users. Even trusted security professionals should be subject to behavioral monitoring, particularly when accessing sensitive client data.

Zero-trust principles apply internally. Organizations cannot assume that security expertise correlates with ethical behavior.

Cryptocurrency education. Understanding how ransomware proceeds are laundered helps organizations identify suspicious financial activities.

Reporting suspicious behavior. The FBI encourages businesses to exercise due diligence when engaging third parties for ransomware incident response and to report suspicious or unethical behavior immediately.

Conclusion

The guilty pleas of Ryan Goldberg and Kevin Martin represent a watershed moment in cybersecurity enforcement. For the first time, professionals from prominent incident response and negotiation firms have admitted to actively participating in the ransomware attacks they were ostensibly hired to combat.

As ransomware continues evolving into a professionalized criminal industry, the line between defenders and attackers has never been more critical to maintain. This case demonstrates that law enforcement can and will pursue cybercriminals regardless of their professional credentials or geographic location.

For organizations engaging cybersecurity services, the message is clear: trust must be verified, and even the experts require oversight.