Insider Threat Realized: Cybersecurity Workers Operated BlackCat Ransomware
In a case that highlights the insider threat within the cybersecurity industry itself, two US cybersecurity professionals have pleaded guilty in Miami federal court to conspiracy charges for their roles in ALPHV/BlackCat ransomware attacks against five American companies, including three healthcare organizations. The attacks resulted in losses exceeding $9.5 million.
| Attribute | Value |
|---|---|
| Defendants | Ryan Goldberg (40, Georgia) and Kevin Martin (36, Texas) |
| Charges | Conspiracy to commit extortion via ransomware |
| Ransomware Variant | ALPHV/BlackCat |
| Attack Period | April 2023 – December 2023 |
| Victims | 5 US companies (3 healthcare organizations) |
| Total Losses | $9.5+ million |
| Maximum Penalty | 20 years imprisonment each |
| Sentencing | March 12, 2026 |
Who Are the Defendants?
Ryan Goldberg was employed as an incident response manager at Sygnia, a cybersecurity consulting firm, while simultaneously operating as a BlackCat ransomware affiliate. Kevin Martin worked as a ransomware negotiator at DigitalMint, a company that helps ransomware victims make cryptocurrency payments — giving him direct insight into victims' willingness and ability to pay.
A third unnamed co-conspirator, also a ransomware negotiator at DigitalMint, was referenced in the indictment.
The Double Life
The defendants leveraged their legitimate cybersecurity roles to gain knowledge of defensive techniques, incident response procedures, and victim negotiation patterns — then applied that expertise to their criminal operations. Goldberg's role in incident response gave him understanding of how organizations detect and respond to ransomware, while Martin's negotiation experience informed the group's extortion strategy.
Healthcare Targeting
Three of the five targeted companies were healthcare organizations, a sector particularly vulnerable to ransomware pressure due to the critical nature of patient care systems and the sensitivity of protected health information (PHI).
| Impact Area | Description |
|---|---|
| Financial Losses | Over $9.5 million in combined damages across five victims |
| Healthcare Disruption | Three healthcare organizations had operations crippled |
| Industry Trust | Cybersecurity professionals weaponizing insider knowledge |
| Patient Data Risk | PHI potentially exposed during healthcare attacks |
Recommendations
For Organizations
- Implement robust insider threat programs that include cybersecurity staff in monitoring scope
- Enforce separation of duties in incident response and security operations
- Conduct thorough background checks and continuous monitoring for employees with privileged access
- Monitor for anomalous activity from security team accounts and tools
For the Cybersecurity Industry
- The case reinforces the need for vetting and ethical standards across the profession
- Ransomware negotiation firms should implement controls to prevent employees from using client intelligence maliciously
- Industry certifications should incorporate stronger ethical requirements and accountability
Key Takeaways
- Two cybersecurity professionals — an incident responder and a ransomware negotiator — operated as BlackCat affiliates
- The attacks caused $9.5+ million in losses across five companies, including three healthcare organizations
- Both defendants leveraged their legitimate roles for criminal advantage
- They face up to 20 years in prison with sentencing set for March 12, 2026
- The case exposes a critical insider threat vector within the cybersecurity industry
- Organizations must include security staff in their own insider threat monitoring programs
Sources
- Two US Cybersecurity Pros Plead Guilty Over Ransomware Attacks — SecurityWeek
- Two Cybersecurity Experts Plead Guilty to Running Ransomware Operation — CSO Online
- 2 Cyber Pros Admit to Being BlackCat Ransomware Affiliates — BankInfoSecurity
- US Cybersecurity Professionals Plead Guilty to BlackCat Ransomware Attacks — TechRadar