Two American cybersecurity professionals who spent their days responding to ransomware attacks have admitted to conducting them. Ryan Goldberg, 40, of Georgia β€” an incident response manager at cybersecurity firm Sygnia β€” and Kevin Martin, 36, of Texas β€” a ransomware recovery negotiator at DigitalMint β€” both pleaded guilty in federal court to conspiracy charges for operating as affiliates of the ALPHV/BlackCat ransomware group, attacking five US companies including three healthcare organizations.

The case is one of the most striking examples of the insider threat problem in cybersecurity services. Both men were employed, trusted professionals whose jobs explicitly involved helping organizations recover from ransomware β€” while simultaneously running ransomware attacks on different victims.

The Attack Window

Between April 2023 and December 2023, Goldberg, Martin, and an unnamed third co-conspirator β€” also employed at DigitalMint β€” conducted attacks using the ALPHV/BlackCat ransomware-as-a-service platform. The three men paid the BlackCat administrators a 20% cut of any ransom collected in exchange for access to the ransomware infrastructure and extortion platform.

Five US companies were targeted, three of them in the healthcare sector. Healthcare remains among the most targeted industries by ransomware groups, in part because the urgency of patient care creates strong pressure to pay quickly β€” an operational leverage attackers have exploited consistently since the pandemic era.

Both Goldberg and Martin entered guilty pleas on December 18 in the US District Court for the Southern District of Florida to conspiracy to obstruct, delay, or affect commerce by extortion β€” a federal charge that carries a maximum sentence of 20 years’ imprisonment, three years of supervised release, and a fine of up to $250,000 or twice the gross gain or loss from the offense. Sentencing was set for March 12, 2026.

The Access Problem at Cybersecurity Firms

What makes this case institutionally uncomfortable is not just the hypocrisy β€” it is what it reveals about access controls inside cybersecurity service firms.

Sygnia is an Israeli-founded incident response firm acquired by Temasek and known for its work on high-profile nation-state intrusions. An incident response manager at a firm like Sygnia would have legitimate access to sensitive client environments, forensic tools, and potentially threat intelligence infrastructure. The role sits at the intersection of trusted access and technical capability β€” precisely the combination ransomware operators need.

DigitalMint is a digital asset recovery firm whose entire business model centers on ransomware situations: helping victims evaluate demands, negotiate payments, and recover data. A ransomware negotiator there would have deep familiarity with how ransomware groups operate, how negotiations proceed, and how victims respond. That knowledge cuts both ways.

Neither firm has detailed what controls, if any, were in place to detect unusual activity from their employees. The case raises questions the wider industry should be asking: do cybersecurity service providers screen their own employees for connections to threat actor infrastructure? Do they monitor for behavioral anomalies the way they advise clients to?

BlackCat’s Affiliate Model and the Takedown

ALPHV/BlackCat operated as a ransomware-as-a-service (RaaS) platform β€” one of the most sophisticated in operation during the 2023–2024 period. The group provided affiliates like Goldberg and Martin with the ransomware binary, the extortion platform, and negotiation infrastructure, taking a percentage cut in return. This model allowed the core developers to remain insulated from direct operational exposure while scaling attacks through a distributed affiliate network.

The FBI and international partners disrupted ALPHV/BlackCat’s infrastructure in December 2023 β€” the same month Goldberg and Martin entered their guilty pleas. The takedown involved seizing BlackCat’s dark web leak site and developing a decryption tool that was provided to over 500 victims globally. BlackCat attempted to rebrand and re-launch after the seizure, but its organizational coherence was significantly degraded.

The timing of the guilty pleas β€” coinciding almost exactly with the FBI takedown β€” may reflect cooperation: defendants with advance knowledge of law enforcement action sometimes arrange to enter pleas before or during operations to receive more favorable treatment.

Healthcare Targets and the Stakes

The inclusion of three healthcare organizations among the victims is the detail that most significantly affects how courts and the public view these cases. Healthcare ransomware attacks have killed people β€” indirectly, through delayed care, diverted ambulances, and inaccessible medical records. The legal system has begun treating healthcare ransomware as categorically more serious than other extortion.

The DOJ has not named the five victim organizations. If any of the three healthcare targets were hospital systems, prosecutors will likely cite patient impact as an aggravating factor at sentencing.

An Industry Reckoning

The Goldberg-Martin case is not the first involving cybersecurity insiders and ransomware, but it is among the most visible. The cybersecurity workforce is small, highly skilled, and operates in close proximity to the tools, access, and knowledge that criminal groups need. Vetting is inconsistent. Background checks in technical roles often focus on criminal history rather than behavioral indicators.

For clients of incident response firms and ransomware recovery specialists, the case is an uncomfortable reminder that the people they call when breached have the same technical capabilities as the people who breached them. The difference, most of the time, is incentive alignment. When that alignment breaks β€” as it did here β€” the results are exactly what you’d expect from someone who knows how both sides of a ransomware negotiation actually work.

Sources