Two men once trusted to help organizations recover from ransomware attacks found themselves at the center of a criminal investigation after using their insider roles to launch attacks of their own. Former employees of Sygnia and DigitalMint, companies commonly associated with cybersecurity incident response and ransomware payment negotiations, have admitted their involvement in a ransomware campaign that targeted businesses in several industries. The case underscores ongoing concerns about insider threats in the cybersecurity sector, with losses exceeding $9.5 million. Law enforcement and the affected companies responded quickly after the indictment and arrests in late 2023, followed by guilty pleas just months later.
How Did Investigations Into Goldberg and Martin Evolve?
When other cases involving ALPHV/BlackCat ransomware appeared over the past year, much of the focus centered on outsider criminal groups exploiting vulnerabilities within companies. Rarely did previous incidents highlight security professionals themselves as perpetrators. Public attention tended to dwell on attacks against major healthcare organizations, such as the Change Healthcare breach, and typically, incident responders were praised for their quick recovery efforts. In stark contrast, this case of Goldberg and Martin highlights a notable shift: trusted insiders at reputable cybersecurity firms orchestrated and benefitted from these attacks, undermining past narratives around who poses the greatest risk to organizations facing ransomware.
What Was the Modus Operandi of the Defendants?
Ryan Clifford Goldberg, a former incident response manager at Sygnia, and Kevin Tyler Martin, a former ransomware negotiator at DigitalMint, collaborated alongside an unnamed DigitalMint colleague to infiltrate company networks. They deployed ALPHV, also known as BlackCat, ransomware to extort organizations—despite their professional responsibility to mitigate such disasters. According to court documents, the trio managed to extract nearly $1.3 million in ransom from a Florida medical company, while other targeted organizations, including a pharmaceutical company, engineering firm, and drone manufacturer, escaped financial loss but still faced significant operational disruptions.
How Have the Companies Involved Reacted?
DigitalMint, one of the defendants’ former employers, made its position clear once the allegations surfaced.
“We strongly condemn his actions, which were undertaken without the knowledge, permission or involvement of the company,”
a spokesperson stated, distancing the organization from any misconduct. The company emphasized a commitment to internal values and cooperation with investigators, as reflected in another statement:
“His behavior is a clear violation of our values and ethical standards.”
Sygnia has not issued a public comment. Both defendants have agreed to forfeiture orders representative of profits traced to the criminal activity, with the possibility of further restitution and fines as their sentences are finalized.
The scheme leveraged a special affiliate account on the ALPHV/BlackCat platform, a ransomware-as-a-service toolkit known for its technical sophistication and involvement in high-profile attacks. Prosecutors noted that Goldberg and Martin’s detailed knowledge of ransomware response strategies provided them with means to bypass security controls and undermine clients’ trust. Sentencing is expected to consider both the gravity of the offense and the defendants’ cooperation with authorities, with potential sentences of up to 20 years each.
ALPHV/BlackCat’s wider operations have generated attention for their targeting of key sectors, notably healthcare. The group attracted scrutiny following the Change Healthcare breach, resulting in a ransom payment of $22 million and one of the largest data exposures on record. Recent reports suggest the group ceased major operations by March 2024, yet the extent of damage from affiliates remains significant. This case connects the insidious nature of ransomware-as-a-service operations with vulnerabilities in trusted professional roles.
Cases such as this highlight the critical role of robust internal monitoring and verification within companies handling sensitive cybersecurity tasks. Insider threats represent a complex risk, as those entrusted with defense may possess knowledge to circumvent established controls. Organizations should regularly assess the integrity of their personnel and maintain transparency with clients to rebuild trust in the sector. Awareness of the insider threat challenge could help prevent similar incidents, with comprehensive checks and balances ensuring that those tasked with protecting sensitive data cannot easily exploit their access for personal gain.
