Two American cybersecurity employees have pleaded guilty to attacks using the BlackCat/ALPHV ransomware. Ryan Goldberg and Kevin Martin earned millions by extorting organizations, including a medical company that paid $1.2 million in ransom. They each face up to 20 years in prison.
The men worked as incident response managers and ransomware negotiators at cybersecurity companies. Goldberg worked as an incident response supervisor at Sygnia Consulting, while Martin was a ransomware negotiator for DigitalMint. According to the US Department of Justice (DoJ), they used their expertise to carry out attacks instead of combating them. Between April and December 2023, they pressured multiple victims.
Goldberg and Martin made a deal with the administrators of the BlackCat/ALPHV ransomware. They paid 20 percent of each ransom amount to the ransomware group. In exchange, they gained access to the criminal organization’s malware and extortion platform. They shared their 80 percent share with a third suspect, who has not been named.
From $1.2 million to money laundering
One victim, a medical company, paid approximately $1.2 million in Bitcoin. The three suspects divided their share of $960,000 among themselves and laundered the money using various methods. The DoJ points out that the “special skills and experience” of the security employees came in handy in attacking their victims.
BlackCat operated according to the ransomware-as-a-service model. The group previously threatened to leak 80 GB of Reddit data and attacked point-of-sale supplier NCR, causing outages. In this model, criminals develop the ransomware and keep the infrastructure running. Affiliates carry out the attacks and distribute the malware.
FBI developed decryption tool
In December 2023, the FBI developed a decryption tool that helped hundreds of victims restore their systems. This tool saved victims an estimated $99 million in ransom payments. At the same time, the FBI seized several BlackCat websites.
BlackCat/ALPHV claimed more than a thousand victims worldwide, according to US authorities. The group announced in March 2024 that it would stop after the attack on Change Healthcare, which affected more than 100 million people. Apparently, the group violated a moral code among ransomware attackers, or at least the potential affiliates of this collective.
The court will hear the case on March 12, 2026. A federal judge will then determine the final sentence for Goldberg and Martin. Since 2020, the US Computer Crime and Intellectual Property Section (CCIPS) has convicted more than 180 cybercriminals and obtained court orders for $350 million in restitution.