Ransomware responders plead guilty to using ALPHV in attacks on US organizations

Two cybersecurity professionals pleaded guilty last week to charges related to several ransomware attacks they launched on behalf of the now-defunct ALPHV/BlackCat cybercrime group.

Ryan Goldberg and Kevin Martin each pleaded guilty to one count of conspiracy to obstruct commerce by extortion and are facing up to 20 years in prison. Their sentencing is scheduled for March 12. 

Goldberg, a 40-year-old from Georgia, worked for incident response firm Sygnia, and 36-year-old Martin, a Texan, was a ransomware negotiator for DigitalMint. The pair were indicted three months ago. Goldberg was arrested on September 22, while Martin was nabbed on October 14. 

According to court documents, the two worked alongside one other co-conspirator to launch ALPHV/BlackCat ransomware attacks between April 2023 and December 2023 — abusing their cyber incident response positions to extort multiple victims. The Department of Justice has not publicly identified the third suspect.

Prosecutors said the victims included a Florida medical company, a Maryland pharmaceutical company, a California doctor's office, a Virginia based drone company and a California engineering company.

The indictment noted that the patient photos stolen from the doctor’s office were published on the ransomware gang’s leak site as a result of the attack launched by the three.

The men earned about $1.2 million from the Florida medical company and sent 20% of that to ALPHV administrators. None of the other attacks were successful. Goldberg and his wife allegedly bought one-way flights to Paris in June, just 10 days after he was interviewed by the FBI. 

Assistant Attorney General Tysen Duva said the men “used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop.” 

“Goldberg and Martin used trusted access and technical skill to extort American victims and profit from digital coercion,” added U.S. Attorney Jason Reding Quiñones.

DigitalMint said in a statement that it condemned Martin’s actions and that they were “undertaken without the knowledge, permission, or involvement of the company.” 

“His behavior is a clear violation of our values and ethical standards. We fully cooperated with the Department of Justice throughout its investigation and support this outcome as a critical step toward accountability,” the company said. 

Sygnia previously told Recorded Future News that Goldberg was fired as soon as the company learned of the situation.

“While Sygnia is not a target of this investigation, we are continuing to work closely with the Federal Bureau of Investigation,” the company said in November, adding that it could not provide more information because it is an ongoing federal investigation.

ALPHV/BlackCat was one of the most prolific ransomware gangs operating before it was shuttered following a law enforcement takedown in 2024. Following devastating attacks on the biggest hotel in Las Vegas and a multibillion-dollar player in the real estate industry, the group shut down after using its ransomware to destroy critical systems used by insurance giant UnitedHealth. 

The Justice Department said the gang attacked more than 1,000 victims globally through its ransomware-as-a-service model. The FBI developed a decryption tool for victims of the ransomware and claims to have saved victims $99 million in ransom payments. 

The actions of Goldberg and Martin put a spotlight on the cyber insurance and ransomware negotiator industry — which has long faced criticism for its potentially thorny interactions with cybercriminal gangs and its tactics during cyber incidents. 

FBI Special Agent in Charge Brett Skiles said organizations should “exercise due diligence when engaging third parties for ransomware incident response, report suspicious or unethical behavior, and to expeditiously report any ransomware attack to the FBI and our law enforcement partners to safeguard their security and privacy.”