Two cybersecurity professionals have been sentenced to four years in federal prison each after using their technical expertise to carry out ransomware attacks with the ALPHV BlackCat network, exposing a serious breach of trust inside the cyber incident response industry.Ryan Clifford Goldberg, 40, of Georgia, and Kevin Tyler Martin, 36, of Texas, admitted their roles in a 2023 extortion conspiracy that targeted several organisations across the United States. Both men had worked in roles intended to protect organisations from cybercrime: Goldberg as an incident response manager and Martin as a ransomware negotiator. Their offences involved the same kind of attacks they were trained to prevent.
The case centred on the use of ALPHV BlackCat, one of the most disruptive ransomware-as-a-service operations to hit public and private-sector networks. The group’s model allowed affiliates to deploy its malware and use its leak sites and extortion infrastructure in return for a share of proceeds. Goldberg, Martin and co-conspirator Angelo Martino agreed to hand 20 per cent of ransom payments to BlackCat administrators, retaining the remaining 80 per cent for themselves.
Between April and December 2023, the men deployed BlackCat ransomware against multiple victims, including businesses in medical technology, pharmaceuticals, engineering and drone manufacturing, as well as a doctor’s office. One victim, a medical device company in Florida, paid about $1.2 million in Bitcoin after its servers were encrypted and it received a multi-million-dollar ransom demand. The proceeds were then split and laundered through different channels.
The attacks went beyond financial extortion. Sensitive data was stolen and used to pressure victims into payment, including patient information from a doctor’s office. That tactic reflected a broader shift in ransomware operations, where criminals combine system encryption with data theft, public leak threats and targeted pressure on executives, employees and customers.
Goldberg and Martin pleaded guilty in December 2025 to conspiracy to obstruct, delay or affect commerce by extortion. Martino, 41, of Florida, later admitted his role in a related conspiracy. He had worked as a ransomware negotiator and abused access to confidential information, including victims’ negotiating positions and insurance limits, to help attackers extract higher payments. His sentencing is scheduled separately.
The matter has unsettled the cyber response sector because it involved insiders with privileged knowledge of breach containment, victim behaviour, ransom negotiation and recovery planning. Companies under attack often give external responders access to highly sensitive systems, internal communications, legal strategies and insurance details. The abuse of that access has sharpened scrutiny of vetting standards, conflict controls and monitoring inside incident response firms.
Assistant Attorney General A. Tysen Duva said the defendants “used their high-level cyber skills to feed their greed”, while U. S. Attorney Jason A. Reding Quiñones said they had exploited specialised knowledge “not to protect victims, but to extort them”. The sentencing also carried a warning that ransomware threats cannot be treated only as overseas criminal activity; domestic professionals with legitimate industry credentials can become participants in the same underground economy.
BlackCat emerged as a major ransomware brand after earlier groups fragmented under law enforcement pressure. It was known for targeting high-value organisations and for using aggressive extortion tactics. Its victims included companies across healthcare, hospitality, manufacturing, professional services and technology. The group is believed to have targeted more than 1,000 victims worldwide, with hundreds of millions of dollars in ransom demands and payments linked to its operations.
Law enforcement action against BlackCat intensified after 2023. A decryption tool helped hundreds of victims restore systems and avoid estimated ransom payments of about $99 million. Several websites associated with the group were also seized. The gang later drew global attention through attacks on major companies and service providers, reinforcing concerns over ransomware’s ability to disrupt hospitals, supply chains, payment systems and critical business operations.
Goldberg’s arrest added another dimension to the case. After being interviewed by investigators, he left the United States and travelled through several countries before being detained after flying from Amsterdam to Mexico City. He was returned to the United States and held pending trial because of flight-risk concerns. Martin was arrested separately and released on bond before his guilty plea.
Topics
Technology