Executive Summary

Between May 2023 and April 2025, three former employees of leading cybersecurity incident response firms—DigitalMint and Sygnia Cybersecurity Services—were indicted by U.S. prosecutors for orchestrating a series of high-impact ransomware attacks as affiliates of the ALPHV/BlackCat ransomware group. The defendants, including Kevin Tyler Martin and Ryan Clifford Goldberg, exploited their insider knowledge and access to conduct unauthorized intrusions, exfiltrate sensitive data, and deploy ransomware against organizations in the healthcare, pharmaceutical, engineering, and defense manufacturing sectors. The attacks resulted in operational disruption, exposure of sensitive data, and ransom payments exceeding $1.27 million. The indictment, supported by FBI affidavits and confessions, details a sophisticated double extortion campaign involving the use of custom ransomware control panels and cryptocurrency laundering. The case, prosecuted in the U.S. District Court for the Southern District of Florida (case number 25-CR-20443-MOORE/D'ANGELO), highlights the evolving threat of insider-enabled ransomware and underscores the need for robust third-party risk management and insider threat detection. All technical and legal details are confirmed by official advisories from CISA, FBI, and the Department of Justice. For further information, see https://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations/, https://cyberinsider.com/ransomware-negotiation-firm-rocked-by-insider-cybercrime-scandal/, and https://www.cisa.gov/stopransomware/newsroom.

Technical Information

The indicted individuals, formerly employed by DigitalMint and Sygnia Cybersecurity Services, acted as affiliates of the ALPHV/BlackCat ransomware group, leveraging their professional expertise and privileged access to facilitate a series of coordinated ransomware attacks. The technical operation of these attacks is characterized by the following sequence:

Initial access to victim networks was achieved through unauthorized means. While the indictment does not specify the exact vector, historical patterns for ALPHV/BlackCat affiliates include phishing, brute force attacks on Remote Desktop Protocol (RDP), and exploitation of public-facing applications, as documented in CISA advisories (https://www.cisa.gov/stopransomware/newsroom). Given the defendants’ roles as incident responders and negotiators, it is plausible that credential abuse or exploitation of insider knowledge contributed to the initial compromise. This assessment is supported by the attackers’ ability to move laterally within networks and target critical systems, a process that typically requires elevated privileges and familiarity with enterprise environments.

Once inside the network, the attackers conducted reconnaissance to identify valuable data and systems. They exfiltrated sensitive information—including business records, medical data, proprietary engineering documents, and potentially defense-related intellectual property—prior to deploying the ransomware payload. This double extortion tactic, in which data is both encrypted and stolen for leverage, is a hallmark of ALPHV/BlackCat operations and is confirmed by all primary sources (https://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations/).

The ransomware deployed was the ALPHV/BlackCat variant, a highly modular and customizable malware family distributed via a Ransomware-as-a-Service (RaaS) model. The attackers used custom affiliate control panels on the dark web to manage their campaigns, issue ransom demands, and negotiate with victims. Ransom notes directed victims to these panels, where payment instructions were provided. Ransom payments were demanded in cryptocurrency, primarily Bitcoin and Monero, and were laundered through mixing services to obscure the financial trail, as detailed in FBI affidavits and company statements (https://cyberinsider.com/ransomware-negotiation-firm-rocked-by-insider-cybercrime-scandal/).

The technical sophistication of the attacks is further evidenced by the attackers’ ability to calibrate ransom demands based on the size and sector of the victim organization. For example, a Tampa-based medical device manufacturer faced a $10 million demand and ultimately paid $1,274,781.23 in cryptocurrency, while a Virginia drone manufacturer was targeted for $300,000. The attackers’ knowledge of incident response procedures and negotiation tactics likely contributed to their success in extracting payments and evading detection for nearly two years.

Mapping these activities to the MITRE ATT&CK framework, the following techniques are relevant: Initial Access (T1190, T1078), Execution (T1059, T1204), Persistence (T1547), Privilege Escalation (T1068), Defense Evasion (T1027, T1070), Credential Access (T1003), Discovery (T1083, T1046), Lateral Movement (T1021), Collection (T1119), Exfiltration (T1041), Impact (T1486), Command and Control (T1105), and Monetization (T1566). Attribution to ALPHV/BlackCat is assessed with high confidence based on the use of their ransomware, affiliate infrastructure, and payment flows, as confirmed by CISA, FBI, and DOJ sources.

The legal proceedings, including confessions and digital evidence, further corroborate the technical findings. The case is unprecedented in that it involves cybersecurity professionals—trusted insiders—acting as threat actors, representing a significant evolution in the ransomware threat landscape.

Affected Versions & Timeline

The attacks attributed to the indicted insiders occurred between May 2023 and April 2025. The following timeline summarizes key events and affected organizations:

In May 2023, the first documented attack targeted a Tampa-based medical device manufacturer, resulting in encrypted servers, a $10 million ransom demand, and a payment of $1,274,781.23 in cryptocurrency. Also in May 2023, a Maryland pharmaceutical company was attacked, with sensitive data stolen and threatened for publication. In July 2023, a California doctor’s office was targeted, facing a $5 million ransom demand. October 2023 saw an attack on a California engineering firm, with a $1 million demand but no payment extracted. In November 2023, a Virginia drone manufacturer was targeted, with a $300,000 ransom demand.

The investigation escalated in 2025. On April 3, 2025, the FBI raided the Florida home of the unnamed co-conspirator. On June 17, 2025, Ryan Clifford Goldberg was interviewed by the FBI and confessed to his involvement. Shortly thereafter, Goldberg and his wife fled to Paris but were subsequently taken into federal custody in September 2025. The indictment was filed on October 2, 2025, in the U.S. District Court for the Southern District of Florida (case number 25-CR-20443-MOORE/D'ANGELO).

The affected organizations span the healthcare, pharmaceutical, engineering, and defense manufacturing sectors. The attacks leveraged the ALPHV/BlackCat ransomware platform, with no evidence that specific software versions or products were exploited; rather, the attacks relied on unauthorized access and insider knowledge.

Threat Activity

The threat activity in this case is characterized by the convergence of insider threat and advanced ransomware operations. The indicted individuals, leveraging their roles as incident responders and negotiators at DigitalMint and Sygnia Cybersecurity Services, acted as affiliates of the ALPHV/BlackCat ransomware group. They systematically targeted organizations with high-value data and operational dependencies, focusing on sectors where disruption would have maximum impact and where ransom payments were more likely.

The attack methodology involved gaining unauthorized access to victim networks, conducting reconnaissance to identify critical assets, exfiltrating sensitive data, and deploying the ALPHV/BlackCat ransomware to encrypt files. Victims were presented with ransom notes and directed to dark web negotiation panels. The attackers demanded payments in cryptocurrency and used mixing services to launder the proceeds, complicating attribution and recovery efforts.

The double extortion model—combining data encryption with the threat of public data release—was used to maximize pressure on victims. The attackers’ insider knowledge of incident response processes and negotiation strategies enabled them to tailor their demands and tactics, increasing the likelihood of payment and prolonging their operational success.

The campaign’s impact was significant, resulting in operational paralysis, exposure of sensitive data, and substantial financial losses for the affected organizations. The case also exposed vulnerabilities in third-party risk management and highlighted the potential for trusted insiders to become threat actors.

Law enforcement response was swift once the pattern of attacks was identified. The FBI conducted interviews, executed search warrants, and ultimately secured confessions and digital evidence leading to the indictment. The case has prompted renewed scrutiny of insider threat detection and the ethics of ransomware negotiation within the cybersecurity industry.

Mitigation & Workarounds

Mitigation of risks associated with insider-enabled ransomware attacks, such as those conducted by the indicted DigitalMint and Sygnia Cybersecurity Services employees, requires a multi-layered approach. The following recommendations are prioritized by severity:

Critical: Organizations must implement robust insider threat detection programs, including continuous monitoring of privileged user activity, behavioral analytics, and strict access controls. Regular audits of third-party service providers and incident response partners are essential to ensure that only authorized personnel have access to sensitive systems and data. Segregation of duties and least privilege principles should be enforced to limit the potential impact of insider abuse.

High: Multi-factor authentication (MFA) should be mandatory for all remote and privileged access. Security awareness training must be updated to include the risks of insider threats and the tactics used by sophisticated ransomware affiliates. Incident response plans should be reviewed and tested to ensure rapid detection and containment of ransomware activity, including scenarios involving trusted insiders.

Medium: Organizations should deploy endpoint detection and response (EDR) solutions capable of identifying lateral movement, credential abuse, and data exfiltration. Regular vulnerability assessments and penetration testing can help identify weaknesses that could be exploited by both external and internal actors.

Low: Maintain up-to-date backups stored offline or in immutable storage to facilitate recovery in the event of ransomware encryption. Ensure that all software and systems are patched against known vulnerabilities, and monitor for indicators of compromise (IOCs) associated with ALPHV/BlackCat ransomware, as published by CISA and FBI (https://www.cisa.gov/stopransomware/newsroom).

Organizations are strongly encouraged to review the official CISA advisories for the latest IOCs, TTPs, and sector-specific guidance related to ALPHV/BlackCat ransomware. Prompt reporting of suspicious activity to law enforcement and information sharing with industry peers can further enhance collective defense.

References

https://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations/

https://cyberinsider.com/ransomware-negotiation-firm-rocked-by-insider-cybercrime-scandal/

https://www.cisa.gov/stopransomware/newsroom

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and service providers. Our platform enables continuous evaluation of vendor security posture, supports incident response planning, and facilitates compliance with industry standards. For questions about this report or to discuss how Rescana can support your risk management strategy, please contact us at ops@rescana.com.