The U.S. Department of Justice (DOJ) has sentenced two cybersecurity professionals to four years in prison each for assisting the notorious BlackCat (ALPHV) ransomware group in a series of attacks in 2023. The case highlights how insider threats and the misuse of specialist knowledge can significantly amplify the impact of ransomware on organizations.
Key facts of the BlackCat ransomware case and sentencing
According to the DOJ, 40‑year‑old Ryan Goldberg of Georgia and 36‑year‑old Kevin Martin of Texas participated in deploying BlackCat ransomware against multiple U.S. organizations between April and December 2023. They acted in concert with 41‑year‑old Angelo Martino of Florida, who previously pleaded guilty and is scheduled to be sentenced in July 2026.
The defendants operated as affiliates of the ALPHV/BlackCat platform. Under their agreement with the ransomware administrators, they paid the core operators 20% of each ransom in exchange for access to the BlackCat malware, its command infrastructure, and an online “ransom panel” used to manage negotiations, leak stolen data, and pressure victims.
In at least one incident, the group obtained a ransom payment of roughly USD 1.2 million in Bitcoin. Approximately 80% of this amount went to the affiliates, who then distributed the proceeds among themselves and attempted to launder the funds through layered cryptocurrency transactions designed to obscure their origin.
BlackCat (ALPHV) and the ransomware‑as‑a‑service model
BlackCat (also known as ALPHV) is one of the most prominent examples of ransomware‑as‑a‑service (RaaS). In this model, the core criminal group develops and maintains the ransomware code, hosting infrastructure, and payment mechanisms. Independent operators (affiliates) carry out intrusions, steal data, deploy the ransomware, and then share a percentage of any ransom with the core operators.
Law enforcement actions in late 2023 and 2024 significantly disrupted BlackCat’s original RaaS infrastructure, but not before the group had targeted networks of more than 1,000 organizations worldwide, including entities in finance, healthcare, manufacturing, and critical infrastructure. Industry reports such as the Verizon Data Breach Investigations Report (DBIR) have consistently identified ransomware and extortion operations as one of the top threats to businesses, both in frequency and cost.
Abuse of cybersecurity expertise and insider knowledge
A defining feature of this case is that all three defendants were experienced cybersecurity professionals. According to court documents, Martino and Martin worked for DigitalMint, a cryptocurrency services provider, while Goldberg served as an incident response manager at cybersecurity firm Sygnia.
Instead of using their skills to protect organizations, the defendants allegedly repurposed their expertise for offensive activity: breaching networks, encrypting critical systems, exfiltrating sensitive data, and coercing companies into paying for the restoration of their own operations. As the U.S. Attorney’s Office emphasized, their actions directly increased both operational disruption and data exposure for victim organizations.
Martino’s role is particularly notable. Acting as a ransomware incident negotiator for some victims, he reportedly had access to confidential information about clients’ cyber insurance coverage limits. Investigators say he passed this information to BlackCat operators, enabling them to set ransom demands that closely matched what insurers were likely to pay. This misuse of privileged insurance and risk data illustrates how insider access can be weaponized to maximize criminal profits.
Implications for insider threat management and ransomware resilience
The BlackCat case underscores how dangerous the combination of high‑level technical expertise and malicious intent can be. For organizations, it reinforces the need to view cybersecurity not only as a technical challenge but as an integrated risk management discipline that explicitly addresses insider threats.
1. Strengthened vetting and continuous monitoring of privileged staff. Organizations in finance, managed security services (MSSPs), incident response, and cryptocurrency services should conduct thorough background checks, periodic re‑screening, and ongoing monitoring of employees with elevated access rights or visibility into sensitive financial and insurance data.
2. Strict application of the least‑privilege principle. Even security specialists should not have broad, unrestricted access without robust role separation, logging, and regular audits. Privileged activity should be monitored with technologies such as privileged access management (PAM) and user and entity behavior analytics (UEBA) to detect anomalous or high‑risk actions.
3. Governance around ransomware negotiations and cyber insurance data. When organizations engage external negotiators, brokers, or incident response firms, contracts and technical controls must limit access to high‑sensitivity information such as insurance limits, internal financial reserves, and detailed resilience assessments. These data points should be tightly compartmentalized to reduce the potential for abuse.
Practical measures to reduce ransomware and insider risk
Given the continued evolution of ransomware groups and affiliate schemes, organizations should adopt a layered, defense‑in‑depth strategy that covers both external and internal threats:
- Maintain tested, offline and immutable backups, and ensure network segmentation to limit lateral movement.
- Deploy and tune EDR/XDR platforms, enforce multi‑factor authentication (MFA), and harden remote access pathways.
- Run regular incident response exercises and business continuity tests to validate detection, containment, and recovery procedures.
- Provide ongoing security awareness training focused on phishing, social engineering, and early indicators of ransomware activity.
- Conduct independent security audits of MSSPs, crypto service providers, and external negotiators, with clear controls for data access, logging, and accountability.
The sentencing of cybersecurity professionals who actively supported BlackCat ransomware operations is a stark reminder that trusted experts themselves can become a significant attack vector. Organizations that rely on internal security teams and external providers must strengthen their governance, monitoring, and ethical standards, and regularly reassess insider threat programs, vendor risk management, and ransomware preparedness to reduce the likelihood and impact of similar abuses.
