Two former cybersecurity professionals who turned their expertise against the very clients they were hired to protect have been sentenced to four years in federal prison. Ryan Goldberg and Kevin Martin, who previously worked as incident responders, carried out ransomware attacks against five companies in 2023 and extorted nearly $1.3 million from at least one of their victims.
From Defenders to Attackers
Incident responders occupy a uniquely trusted position in cybersecurity. Organizations hire them in moments of crisis — after a breach, during an active intrusion, or when systems have been compromised — and grant them deep access to internal networks, sensitive data, and security infrastructure. Goldberg and Martin exploited exactly this trust.
Rather than use their specialized knowledge solely to help clients recover, the two leveraged their insider access and technical expertise to conduct their own ransomware campaigns. The scheme targeted five separate organizations, making it a systematic abuse of their professional standing rather than an isolated incident.
The Attacks and Extortion
The attacks occurred in 2023 while Goldberg and Martin were working in the incident response field. Prosecutors confirmed that the pair deployed ransomware to encrypt victim systems and then demanded payment in exchange for decryption keys. At least one victim paid approximately $1.3 million to regain access to their data.
The combination of insider knowledge — including how organizations structure their defenses, where sensitive data resides, and how backup systems are configured — gave the attackers a significant advantage over typical ransomware operators who must first discover this information through reconnaissance.
Sentencing and Charges
Both Goldberg and Kevin Martin were sentenced to four years in federal prison. The case highlights an uncomfortable reality in the cybersecurity industry: the very skills and access required to defend organizations can be weaponized against them by individuals willing to cross ethical and legal lines.
The prosecutions also underscore the growing attention law enforcement is paying to cybersecurity insiders. As organizations grant incident responders and security consultants sweeping access privileges, the legal consequences for abuse of that access are becoming increasingly severe.
Industry Implications
The case raises important questions about background screening, credential management, and access controls for external cybersecurity contractors. Key takeaways for organizations that hire incident responders and security consultants include:
- Limit access scope — Grant only the minimum access required to complete incident response tasks, and revoke it promptly when the engagement concludes
- Log everything — Maintain detailed audit logs of all actions taken by external responders on internal systems
- Segment sensitive data — Ensure incident responders do not have automatic access to all critical systems or backup infrastructure
- Verify credentials — Conduct thorough background checks on all cybersecurity contractors with privileged access
- Post-engagement review — After any incident response engagement, audit what was accessed and whether any anomalous activity occurred
A Growing Pattern
This case follows a broader pattern of cybersecurity professionals facing criminal charges for misusing their skills. Security researchers, penetration testers, and now incident responders have all appeared in court for conduct that crossed from authorized security work into criminal territory. For the industry, these cases serve as a reminder that technical expertise carries both opportunity and responsibility — and that law enforcement has developed the capabilities to investigate and prosecute offenses by technically sophisticated defendants.
The four-year sentences handed to Goldberg and Martin represent one of the more significant penalties imposed on cybersecurity insiders who have turned their knowledge against the organizations that trusted them.