They Were Hired to Stop Ransomware - Prosecutors Say They Were Running It

Two cybersecurity professionals who once defended victims of ransomware are now accused of running one and affiliate of the world’s most prolific ransomware schemes. U.S. prosecutors filed charges alleging that Ryan Clifford Goldberg, 33, and Kevin Tyler Martin, 28, secretly operated as affiliates of ALPHV / BlackCat while working legitimate jobs in the security industry.

From Incident Response to Extortion

Goldberg, formerly an incident-response manager at Sygnia Cybersecurity, and Martin, once a ransomware negotiator for DigitalMint, allegedly deployed the BlackCat malware against at least five U.S. companies in 2023. Prosecutors said the victims included a Florida medical-device maker, a Maryland pharmaceutical firm, and a Virginia drone company. The pair demanded up to $10 million per attack and collected more than $1 million in cryptocurrency from one victim.

Court filings describe encrypted chats, ransom spreadsheets, and transactions through privacy coins such as Monero. The indictment charges them with conspiracy to interfere with commerce by extortion and intentional damage to protected computers - offenses carrying up to 30 years in prison.

BlackCat’s Legacy

The BlackCat ransomware family - also known as ALPHV - emerged in 2021, built in the Rust programming language and notorious for its “triple-extortion” tactics: encryption, data theft, and public leaks. The group has been linked to earlier operations like DarkSide and BlackMatter, behind the Colonial Pipeline attack.

Authorities described the indictment as one of the first U.S. cases targeting cybersecurity professionals accused of running a ransomware-as-a-service affiliate. “They exploited the very trust placed in defenders,” an FBI spokesperson said.

Industry Shock

Sygnia confirmed Goldberg’s employment and termination, emphasizing that no client systems were affected and that it is cooperating with the FBI. DigitalMint declined to comment on Martin’s role. The indictment has sparked unease across the incident-response and negotiation community, where consultants handle privileged access and confidential victim data with limited oversight.

Broader Implications

The case underscores the insider risk within the cyber-services sector - a world where trusted responders can pivot to attackers using the same tools and knowledge. Prosecutors are seeking forfeiture of the defendants’ digital wallets after investigators traced payments through multiple exchanges.

For defenders, the message is clear: the ransomware threat is no longer only external. Sometimes, it originates inside the response team itself.