Two former incident‑response and threat‑negotiation professionals have been charged over a series of BlackCat ransomware attacks that targeted US companies, including healthcare organisations.
According to Bank Info Security, two U.S. nationals, Ryan Clifford Goldberg and Kevin Tyler Martin were indicted on October 2, 2025, for allegedly using BlackCat ransomware to breach corporate networks, steal data, encrypt files, and extort victims for cryptocurrency. A third suspected co‑conspirator, who is not named in the indictment, has also been linked to the scheme. All three worked in cybersecurity roles while the attacks occurred.
Prosecutors say the defendants targeted multiple firms between May and November 2023, including a medical device company that received a $10 million demand and ultimately paid $1,274,000, and a doctor’s office in California that faced a $5 million demand. Other victims included a pharmaceutical company, an engineering firm, and a drone manufacturer. Only the medical device company is reported to have paid a ransom.
Goldberg worked as an incident response professional at Sygnia; Martin and the unnamed co‑conspirator were employed as ransomware negotiators at DigitalMint. Authorities allege the group conspired to enrich themselves by exploiting access to victim environments and then negotiating extortion payments. DigitalMint says the implicated employees have been fired and that no client data from the firm was compromised through DigitalMint’s infrastructure. Sygnia and DigitalMint reportedly cooperated with law enforcement.
The FBI searched the unnamed co‑conspirator’s home in April 2025. Goldberg was interviewed in May 2025; he initially denied involvement and later told investigators he had been recruited by the unnamed co‑conspirator and participated to address personal debt, claiming he received about $200,000. Conversely, Martin denies involvement. Martin was released on a $400,000 bond and barred from working in cybersecurity pending trial. Goldberg is detained as a flight risk after international travel and an arrest following deportation to the U.S.
The defendants face charges including conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce, and intentional damage to a protected computer. If convicted, they could face up to 50 years in prison.
DigitalMint confirmed the implicated employees are no longer with the company and stated that client data was not compromised by DigitalMint systems. Prosecutors described ransom demands and payments in the indictment; company representatives and the defense have made limited public comment. Law enforcement action included raids and international cooperation to arrest and extradite suspects.
According to Computer Weekly, Jamie Akhtar, CEO and co-founder of CyberSmart, called the case “one of the most unusual” he had ever seen, noting that “insider threats, whether witting or unwitting, are a well-known risk across all sectors.” He warned that “when a cybersecurity professional uses the skills they’ve developed in the workplace to target other organisations, it raises an entirely different concern.”
Akhtar added, “Employees in tech and security roles are often highly skilled and trusted with privileged access, a combination that can be dangerous if oversight and support are lacking.” He stressed the need for “rigorous access controls, regular behavioural and access reviews and a culture that encourages open communication and wellbeing checks,” concluding that “trust is essential, but it must always be verified.”
BlackCat/ALPHV is a ransomware family that encrypts data and often exfiltrates files before demanding payment. Operators frequently use double‑extortion tactics: encrypting systems and threatening to publish stolen data if ransoms aren’t paid.
Require vendors to demonstrate role‑based access controls, audit logs, separation of duties, background checks, and regular third‑party security assessments. Contract clauses should allow for independent audits and rapid termination of access after incidents.
Paying a ransom can sometimes recover data quickly, but it carries legal, ethical, and practical risks: payment may fund further criminal activity, does not guarantee full data deletion, and can complicate investigations. Organisations should consult legal counsel, law enforcement, and experienced incident response partners before deciding.
Victim organisations may face investigations by regulators (data protection, health‑sector regulators, etc.), potential fines for inadequate safeguards, and civil litigation from affected parties. Individuals charged with conducting attacks face criminal prosecution and severe penalties.
Treat cybersecurity vendors like critical suppliers: perform due diligence, require detailed security and ethics policies, include contractual protections (insurance, indemnities, breach notification timelines), and include technical controls that limit vendor access to only what’s necessary.