Three cybersecurity professionals who specialized in helping companies respond to ransomware attacks have been charged with secretly running their own ransomware operation, deploying ALPHV BlackCat malware against at least five US enterprises between May and November 2023.
Ryan Clifford Goldberg, 33, a former incident response manager at Sygnia Cybersecurity Services, and Kevin Tyler Martin, 28, a ransomware negotiator at Chicago-based DigitalMint, were named in an indictment filed in the US District Court for the Southern District of Florida on October 2. A third conspirator remained unnamed in charging documents but allegedly obtained the ALPHV affiliate account used in the attacks.
The Court document, however, did not mention the name of the organizations they were associated with.
The case was first reported by the Chicago Sun-Times.
According to the filing, the defendants were part of a network that broke into victim networks, exfiltrated data, and deployed the BlackCat ransomware to encrypt files. “The defendants and their co-conspirator executed a scheme to unlawfully obtain money from victims by means of extortion,” the indictment stated. The attackers allegedly demanded cryptocurrency payments in exchange for decryption keys and assurances that stolen data would not be published on leak sites operated by the ransomware group.
The mechanics of a professional extortion business
The ALPHV operation, prosecutors wrote, functioned as a ransomware-as-a-service (RaaS) business, a model in which developers provided malware and infrastructure while affiliates executed attacks. “The ALPHV/BlackCat ransomware was a variant of malicious software designed to encrypt data and steal information from victim networks,” prosecutors said in the filing. Affiliates like Goldberg and Martin allegedly “identified victims, gained unauthorized access to their systems, and deployed the ransomware.”
An FBI affidavit filed in September offered additional insight into how the group operated. It named only Ryan Goldberg and the other two as co-conspirators 1 and 2. The document described all three accused as negotiators who managed contact with victims through encrypted chat channels on the dark web. They allegedly used aliases, multi-hop cryptocurrency transfers, and privacy coins like Monero to obscure the flow of ransom funds. The FBI called the group’s structure a “professionalized criminal marketplace,” in which developers, brokers, and negotiators each played a distinct role.
The affidavit also detailed how the defendants tracked negotiations using spreadsheets that recorded ransom amounts, payments received, and wallet addresses. “The conspirators maintained meticulous records of their transactions and communications,” the FBI said, noting that such documentation helped agents trace funds and link them to the defendants.
The victims and the demands
The indictment cited at least five victim organizations: a Florida medical-device company, a Maryland pharmaceutical manufacturer, a California doctor’s office, a California engineering firm, and a Virginia-based drone company. On May 13, 2023, the conspirators allegedly attacked the Florida firm, demanding $10 million and receiving roughly $1.27 million in cryptocurrency. Two months later, they hit the California medical practice, seeking $5 million, followed by attacks in October and November 2023 that targeted engineering and drone companies, respectively.
According to investigators, the group often returned to previously compromised networks to increase pressure on victims or demand additional payments.
It can also be recalled that in October 2024, Personal health information of 100 million individuals was stolen during a ransomware attack on Change Healthcare, a unit of UnitedHealth, and a ransom of $22 million was paid. This attack was then attributed to the ALPHV/BlackCat ransomware group.
However, CSO could not independently verify if the current indictment and the UnitedHealth ransomware attack are related.
The legal charges and investigation
Goldberg, Martin, and the unnamed co-conspirator were charged with conspiracy to interfere with commerce by extortion and intentional damage to protected computers, as described in the court filing. Each charge carried the possibility of significant prison time, and prosecutors sought forfeiture of assets derived from the alleged attacks, including cryptocurrency wallets.
Each extortion charge carried up to 20 years in prison, while the computer-damage count carried up to 10 years. Prosecutors also sought forfeiture of any assets derived from the attacks, including cryptocurrency wallets.
“The ransom funds were moved through various wallet addresses, making tracing efforts complex,” the FBI wrote, adding that cooperation with overseas exchanges and law enforcement agencies was key to tracking the money flow.
Corporate responses raise insider threat questions
Sygnia confirmed Goldberg’s employment and stated he was “terminated immediately upon learning of the situation.” The company said it is not a target of the investigation, but “We are continuing to work closely with the Federal Bureau of Investigation. We cannot provide further comment on the ongoing federal investigation.”
DigitalMint did not respond to a request for comment.
The case highlights insider threat risks within the cybersecurity services industry itself. Both defendants held positions requiring deep knowledge of ransomware operations and incident response. Martin’s role as a ransomware negotiator would have provided insight into victim psychology, payment processes, and cryptocurrency transactions. Goldberg’s incident response background meant understanding how organizations detect and respond to breaches.
ALPHV BlackCat emerged in late 2021 and became one of the most prolific ransomware operations globally, attacking “hundreds of institutions around the world,” including medical facilities, school districts, law firms, and financial firms, according to the indictment.
No Responses