Guilty Pleas Highlight Ransomware Risks Within and Beyond the Enterprise

U.S. law enforcement concluded two significant ransomware cases this week, revealing just how advanced and varied cyber threats to enterprises have become.

One involves an international actor: Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national who pleaded guilty to orchestrating a multi-year Nefilim ransomware campaign that hit companies in the U.S., Europe, and Australia.

Stryzhak was extradited from Spain earlier this year and now faces up to 10 years in prison.

In a separate case, two former cybersecurity professionals, Ryan Goldberg and Kevin Martin, admitted to launching ransomware attacks while working in roles meant to defend organizations from such incidents. Using the ALPHV/BlackCat strain, they attacked five U.S. companies in 2023, extorting nearly $1.3 million from one victim alone. The insiders exploited their privileged access and deep knowledge of ransomware response protocols to carry out the attacks undetected, until they were caught.

Both now face up to 20 years in federal prison.

Why It Matters: These two cases drive home an important message for enterprise security teams: the ransomware threat is now coming from both sides of the firewall. On one end, you have highly organized actors like the Nefilim group, who study their victims, tailoring attacks to company size, revenue, and internal structure to apply maximum pressure. On the other, you have insiders like Goldberg and Martin, professionals trusted to defend against ransomware, who used their access and knowledge of incident response workflows to carry out attacks from within. Together, these cases show how today’s attackers exploit technical vulnerabilities as well as organizational trust and behavioral patterns.

• Nefilim Campaign Customized for High-Value Victims: Stryzhak and his co-conspirators deployed customized ransomware payloads for each target, creating unique decryption keys and ransom notes. Their approach involved detailed reconnaissance, identifying company revenue, digital assets, and decision-makers to maximize leverage. Targets included firms in aviation, chemical manufacturing, insurance, construction, and oil and gas.

• Insiders Weaponized Their Roles to Launch ALPHV Attacks: Goldberg and Martin held roles at respected cybersecurity companies, Sygnia and DigitalMint, where they had front-line access to incident response tools and intelligence. They used their insider knowledge to execute targeted ransomware attacks.

• Victims Spanned Critical Sectors Across Continents: The Nefilim group attacked organizations in the U.S., Germany, the Netherlands, Norway, and Switzerland, selecting companies with more than $100 million in annual revenue. Meanwhile, the insider-led ALPHV attacks hit a Florida medical firm, a Maryland pharmaceutical company, a California engineering firm, and a Virginia drone manufacturer.

• Tymoshchuk Still Wanted, with $11M Bounty Issued: Authorities continue to search for Stryzhak’s alleged partner, Volodymyr Tymoshchuk, believed to be a key Nefilim administrator. The U.S. has offered an unprecedented $11 million reward for information leading to his capture, one of the largest cybercrime bounties ever issued.

• Legal Fallout Highlights High Stakes of Cybercrime: Stryzhak faces a decade behind bars, while Goldberg and Martin could serve 20 years each. Both insiders agreed to forfeit $342,000 in criminal proceeds, and prosecutors may recommend lighter sentences if they fully cooperate. The cases signal that law enforcement is increasingly adept at tracking digital footprints, no matter how deep or well-concealed.

Go Deeper -> Former incident responders plead guilty to ransomware attack spree – CyberScoop

Ukrainian national pleads guilty to Nefilim ransomware attacks – CyberScoop

Ex‑Incident Response Consultants Indicted in BlackCat Ransomware Attacks – The National CIO Review