Former Incident Responders Plead Guilty to Running ALPHV Ransomware Attacks

Two former cybersecurity professionals pleaded guilty Thursday to participating in a series of ransomware attacks in 2023 while they were employed at companies specifically hired to help organizations respond to ransomware incidents. Ryan Clifford Goldberg, a former incident response manager at Sygnia, and Kevin Tyler Martin, a former ransomware negotiator at DigitalMint, admitted to deploying ALPHV/BlackCat ransomware to extort victims.

TL;DR

• What happened: Two cybersecurity professionals ran ALPHV/BlackCat ransomware attacks while employed at IR and negotiation firms
• Who's affected: Organizations that trusted incident response and negotiation services; broader security industry reputation
• Severity: Critical - insider threat at the highest level of trust in incident response
• Action required: Organizations should review vetting procedures for IR partners and implement separation of duties

What Did They Do?

According to court documents, Goldberg and Martin collaborated with an unnamed co-conspirator to compromise victim networks and deploy ALPHV (also known as BlackCat) ransomware to extort payments. The attacks occurred in 2023 while both men held positions at prominent cybersecurity firms.

Goldberg served as a manager of incident response at Sygnia, an Israeli-founded cybersecurity company known for high-end threat hunting and IR services. His role would have given him intimate knowledge of defensive techniques, victim vulnerabilities, and how organizations respond to breaches.

Martin worked as a ransomware negotiator at DigitalMint, a company that helps victims communicate with ransomware operators and, when necessary, facilitate cryptocurrency payments. Negotiators gain direct insight into attacker TTPs, victim desperation levels, and payment patterns.

The combination of their expertise—one knowing how victims detect and respond, the other knowing how they pay—created an unusually informed threat actor.

The ALPHV/BlackCat Ransomware Operation

ALPHV (BlackCat) operated as a ransomware-as-a-service (RaaS) platform, providing affiliates with malware, infrastructure, and negotiation support in exchange for a percentage of ransom payments. The operation was notable for several technical innovations:

• Written in Rust, making it faster and harder to analyze than ransomware written in older languages
• Cross-platform capability targeting Windows, Linux, and VMware ESXi
• Aggressive triple-extortion tactics: encryption, data theft, and DDoS threats
• A searchable victim data leak site that allowed anyone to search stolen databases

ALPHV infrastructure was disrupted by an FBI operation in December 2023, but the group resurfaced and continued operations into 2024 before apparently shutting down following the Change Healthcare attack.

Why This Case Matters

The cybersecurity industry operates on trust. Organizations bring in incident responders during their most vulnerable moments—when they've been breached, when data may be stolen, when operations are disrupted. They grant these responders extraordinary access: domain admin credentials, security tool consoles, network diagrams, and sensitive communications.

Negotiators occupy an even more conflicted space. They communicate directly with threat actors, often learning details about attacks before victims fully understand what happened. A negotiator running attacks would have real-time intelligence about which victims are likely to pay and how much.

This case raises uncomfortable questions:

Vetting: How do organizations verify that the people they're trusting during a crisis aren't themselves threats? Background checks may not reveal someone who hasn't yet committed crimes.

Conflict of interest: The incident response and negotiation business model creates inherent tensions. Firms benefit when attacks happen. Some critics have long questioned whether this creates perverse incentives.

Access controls: Even trusted responders shouldn't have unlimited access. Organizations often grant more access than necessary in crisis situations.

Industry Reaction

The security community has largely responded with a mix of anger and concern. Sygnia and DigitalMint have not commented publicly on the case beyond confirming the defendants' former employment.

The incident has prompted calls for better credentialing and oversight of incident response firms. Currently, there's no mandatory licensing or regulatory framework for cybersecurity service providers in most jurisdictions—anyone can hang out a shingle and offer IR services.

Recommended Actions for Organizations

1. Verify IR partner credentials - Check references, review past engagements, and look for established track records before granting crisis access
2. Limit access scope - Even during incidents, apply least-privilege principles; don't grant domain admin access unless absolutely necessary
3. Monitor responder activity - Log and review what external responders do on your systems
4. Separate negotiation from IR - Consider using different firms for technical response and ransom negotiation to reduce single points of trust
5. Conduct background checks - Verify employment history and check for any prior legal issues

Legal Consequences

Both defendants pleaded guilty to federal charges. Sentencing details and potential prison terms have not yet been announced. The unnamed co-conspirator mentioned in court documents hasn't been publicly identified or charged.

Frequently Asked Questions

Should I stop using incident response firms?

No. Reputable IR firms provide critical expertise that most organizations lack internally. This case involves two individuals, not systemic problems across the industry. But it does highlight the importance of vetting partners.

How do I know if my organization was a victim of these specific individuals?

Court documents haven't disclosed victim names. If you engaged Sygnia for IR services or DigitalMint for negotiation in 2023, you may want to contact those firms or consult with legal counsel.

Could these individuals have accessed information from clients they were helping?

That's one of the most concerning implications. Professionals in these roles have access to sensitive incident details. Whether any client information was misused beyond the charged attacks isn't addressed in public court documents.