Ransomware Negotiators Get 4 Years for BlackCat Attacks

Two former cybersecurity professionals received four-year federal prison sentences today for deploying ALPHV BlackCat ransomware against U.S. organizations—while holding jobs as incident responders and ransom negotiators meant to help victims of those same attacks.

Ryan Clifford Goldberg, 40, of Georgia, and Kevin Tyler Martin, 36, of Texas, were sentenced in federal court after pleading guilty in December 2025 to conspiracy to obstruct commerce through extortion. A third co-conspirator, Angelo Martino, 41, of Florida, pleaded guilty in April 2026 and faces up to 20 years at his July 9 sentencing.

The Insider Threat Made Real

Goldberg worked as an incident response manager at Sygnia, a prominent cybersecurity firm. Martin served as a ransomware negotiator at DigitalMint. Both positions gave them unusual insight into how organizations detect, respond to, and ultimately pay ransomware demands.

Between April and December 2023, the three men operated as ALPHV BlackCat affiliates, paying the ransomware administrators 20% of their proceeds in exchange for access to the malware and extortion platform. They kept the remaining 80% and split it among themselves.

"These defendants exploited specialized cybersecurity knowledge not to protect victims, but to extort them," U.S. Attorney Jason A. Reding Quinones stated in the Department of Justice announcement.

Five Known Victims Across Multiple Industries

Court documents identify at least five organizations the group targeted:

• A Maryland pharmaceutical company
• A Tampa medical device manufacturer (paid $1.27 million after an initial $10 million demand)
• A California engineering firm
• A Virginia drone manufacturer
• A California medical office

Ransom demands ranged from $300,000 to $10 million depending on the victim's perceived ability to pay. The Tampa medical device manufacturer's $1.27 million payment represents the largest confirmed payout from a single victim.

How They Operated

The scheme worked because Goldberg and Martin understood the victim experience from the inside. They knew what triggers prompt organizations to engage negotiators, what financial thresholds make sense for different industries, and how incident response timelines create pressure to pay quickly.

This isn't the first time insiders have weaponized their access for criminal gain, but the combination of technical knowledge and procedural insight made these defendants particularly effective. They weren't just attacking systems—they were exploiting their understanding of how victims think during a crisis.

The ALPHV BlackCat operation itself targeted over 1,000 organizations globally before law enforcement disrupted its infrastructure in late 2023. The ransomware-as-a-service model meant affiliates like Goldberg, Martin, and Martino handled intrusions and negotiations while ALPHV administrators maintained the malware and extortion platform.

Part of a Broader Enforcement Push

The sentencing follows a pattern of successful prosecutions against ransomware operators and their enablers. Last month, Russian access broker Aleksei Volkov received 81 months for facilitating Yanluowang ransomware attacks. In April, Finnish authorities arrested a Scattered Spider member facing U.S. extradition for a similar vishing-enabled attack spree.

The common thread: international cooperation and willingness to pursue affiliates and support personnel, not just ransomware developers. Disrupting the human supply chain matters as much as taking down infrastructure.

Implications for Cybersecurity Firms

Four years is meaningful prison time, but organizations that hire incident responders and negotiators may find the precedent more concerning than comforting. Background checks would have revealed nothing problematic about either defendant before their arrest.

The case raises uncomfortable questions about internal monitoring:

• Do incident response firms track employee communications with known criminal infrastructure?
• Should negotiators face additional scrutiny given their access to victim financial information?
• How do you screen for someone with no criminal history who decides to become a criminal?

The ransomware ecosystem has professionalized enough that recruiting people with legitimate credentials makes operational sense for criminal groups. Defenders who understand response playbooks make ideal attackers.

What Happens Next

Goldberg and Martin begin their sentences immediately. Martino's July 9 sentencing will likely result in a longer term given his role and the fact that he pleaded guilty after the other two.

Authorities have already seized $10 million in assets from the three defendants. Restitution amounts for identified victims will be determined separately.

For organizations evaluating cybersecurity partners, the case serves as a reminder that trust verification matters at every level. The people you hire to protect you during a crisis should face the same scrutiny as anyone else with access to your most sensitive systems.