Full Report
Pair became ALPHV affiliates to prey on US-based clients A ransomware negotiator and a security incident response manager have admitted to running ransomware attacks.…
Analysis Summary
# Threat Actor: Ryan Clifford Goldberg and Kevin Tyler Martin (and un-named co-conspirator)
## Attribution & Identity
* **Primary Actors Identified:** Ryan Clifford Goldberg and Kevin Tyler Martin.
* **Known Aliases/Affiliations:** Affiliates of the **ALPHV/BlackCat** ransomware operation.
* **Identity Context:** Both individuals are cybersecurity professionals (a ransomware negotiator and a security incident response manager) who admitted to running ransomware attacks.
## Activity Summary
* **Timeframe:** May to November 2023.
* **Operation:** The individuals operated as affiliates for the ALPHV/BlackCat ransomware group, paying 20% of secured ransom payments to the ALPHV administrators in return for the use of their crimeware.
* **Outcome:** The trio managed to infect five targets. Only one payment, totaling approximately $1.2 million in Bitcoin, was secured from a medical device company. The defendants have pleaded guilty to conspiracy to obstruct, delay, or affect commerce by extortion.
## Tactics, Techniques & Procedures
* **Initial Access/Deployment:** Used their cybersecurity skills to plant the ransomware at target locations.
* **Extortion:** Attempted to extort victims after successful infection.
* **Financial Handling:** Attempted to launder the proceeds of the single successful ransom payment.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text, but activities align generally with **Impact** and **Collection/Exfiltration** phases (implied by the nature of ransomware).
## Targeting
* **Sectors:**
* Medical device company (the paying victim)
* Pharmaceutical firm
* Doctor's office
* Engineering company
* Drone manufacturer
* **Geography:** US-based clients (indicated by the goal to prey on US-based clients and the nature of the DOJ charges).
* **Victims:** Five identified targets across the above sectors.
## Tools & Infrastructure
* **Malware Families Used:** ALPHV/BlackCat ransomware.
* **Infrastructure:** Utilized the ALPHV crimeware platform. No specific C2 addresses or domains were detailed.
## Implications
The primary implication is the significant threat posed by trusted insiders ("insider threat") who utilize professional cybersecurity knowledge to commit serious cybercrimes. This highlights the danger of current incident response or security personnel turning adversarial, leveraging deep system knowledge against their employers or industry peers.
## Mitigations
* Implement stringent insider threat monitoring and background checks, especially for personnel with privileged access to critical security systems or data.
* Enforce strong segregation of duties, even within security teams, to prevent a single sub-group from controlling the entire incident response or infrastructure security chain.
* Monitor atypical network activity associated with ransomware deployment (T1566/T1059 chains) even from traditionally trusted accounts.