Federal prosecutors have charged two cybersecurity professionals and a third unnamed co-conspirator with allegedly participating in a ransomware operation that targeted five U.S. businesses in 2023. According to court documents unsealed in October, the individuals, Ryan Clifford Goldberg of Georgia, Kevin Tyler Martin of Texas, and a third person based in Florida, used the BlackCat (also known as ALPHV) ransomware to encrypt company systems, steal data, and demand cryptocurrency payments.

The three men were employed by companies that specialize in helping victims of cyberattacks.

Martin and the unnamed individual worked at DigitalMint, a ransomware negotiation and incident response firm. Goldberg was an incident response manager at Sygnia. Prosecutors claim the three acted as affiliates of the ALPHV ransomware group, launching attacks between May and November 2023.

The scheme resulted in one confirmed ransom payment of $1.27 million from a Florida-based medical device company.

Why It Matters: The case highlights a significant potential risk where trusted cybersecurity personnel can become internal threats. Individuals in incident response and ransomware negotiation roles often hold privileged access to sensitive systems, threat intelligence, and client environments. When that trust is misused, the consequences can be severe. The incident reinforces the need for continuous background screening and internal monitoring, even within security teams. It also raises questions about due diligence practices during hiring and post-employment audits in high-risk roles.

• Charges and Background: The Department of Justice has charged Goldberg and Martin with conspiracy to interfere with interstate commerce by extortion, interference with commerce by extortion, and intentional damage to protected computers. If convicted, each faces up to 50 years in federal prison. The third co-conspirator has not been publicly identified or indicted at this time.

• Timeline and Victims: Between May and November 2023, the defendants allegedly carried out ransomware attacks against five U.S. companies in the healthcare, pharmaceutical, engineering, and aerospace sectors. The campaign began with a Tampa-based medical device firm that paid $1.27 million after a $10 million demand. Other targets included a Maryland pharmaceutical company, a California doctor’s office, a California engineering firm, and a Virginia drone manufacturer, with ransom demands ranging from $300,000 to $5 million. Only the Florida firm is confirmed to have made a payment.

• Alleged Motives and Conduct: According to court filings, Goldberg admitted to the FBI that he participated in the scheme to alleviate personal debt. He said he was recruited by the unnamed co-conspirator and was promised a share of any ransom payments. Prosecutors say he received about $200,000 from the single successful payment. Goldberg was arrested in Mexico in September 2023 after traveling through Europe.

• Employer Responses: Both DigitalMint and Sygnia said the charged individuals no longer work for their companies and confirmed cooperation with federal investigators. DigitalMint emphasized that the conduct occurred outside of its systems and client environments, and that it was not the subject of the investigation.

• Ransomware Group Background: ALPHV/BlackCat is a well-known ransomware-as-a-service (RaaS) operation that has been active since late 2021. It has been linked to attacks across multiple industries, including a 2024 breach of Change Healthcare that resulted in the exposure of data from up to 190 million individuals. The FBI has estimated that ALPHV affiliates collected at least $300 million in ransom payments between 2021 and 2023.

Go Deeper -> U.S. Prosecutors Indict Cybersecurity Insiders Accused of BlackCat Ransomware Attacks – The Hacker News

Prosecutors allege incident response pros used ALPHV/BlackCat to commit string of ransomware attacks – CyberScoop

US prosecutors say cybersecurity pros ran cybercrime operation – Reuters

US cybersecurity experts indicted for BlackCat ransomware attacks – BleepingComputer