Full Report
Ryan Goldberg and Kevin Martin were working at cybersecurity companies when they switched sides and hit five companies with ransomware attacks in 2023. The post Former incident responders plead guilty to ransomware attack spree appeared first on CyberScoop.
Analysis Summary
# Incident Report: Insider Ransomware Spree by Former Incident Responders
## Executive Summary
Two former cybersecurity professionals, Ryan Goldberg (ex-Sygnia) and Kevin Martin (ex-DigitalMint), pleaded guilty to participating in a series of ransomware attacks targeting five U.S. companies throughout 2023. The attackers leveraged an affiliate account on the ALPHV/BlackCat ransomware platform, successfully extorting a $1.3 million payment from one victim before the scheme was disrupted by federal investigation. The case highlights a significant breach of trust, as the perpetrators utilized specialized insider knowledge gained from their security roles.
## Incident Details
- Discovery Date: Unknown (Prompted by federal investigation/arrests in September/October 2023)
- Incident Date: Occurred over a six-month period in 2023
- Affected Organization: Five unnamed companies (Medical company in FL, Pharmaceutical company in MD, Doctor’s office in CA, Engineering company in CA, Drone manufacturer in VA).
- Sector: Healthcare/Medical, Pharmaceutical, Engineering, Manufacturing (Drone)
- Geography: Florida, Maryland, California, Virginia (USA)
## Timeline of Events
### Initial Access
- Date/Time: Throughout 2023
- Vector: Unknown, likely exploiting internal system access or vulnerabilities known to the perpetrators due to their professional roles. Access was facilitated via an unnamed co-conspirator who held an ALPHV affiliate account.
- Details: The group initiated the ransomware attacks against five different victim organizations.
### Lateral Movement
- Details: Not explicitly detailed in the source, but necessary to deploy ransomware across victim networks.
### Data Exfiltration/Impact
- Date/Time: One successful extortion occurred in May 2023.
- Details: The group deployed ALPHV (BlackCat) ransomware. They successfully extorted a **$1.3 million** ransom payment from the medical company located in Florida. They failed to extort payments from the other four victims. Total losses caused by the crimes exceeded $9.5 million.
### Detection & Response
- Date/Time: Goldberg arrested Sept. 22, 2023; Martin arrested Oct. 14, 2023. Pleas entered late 2025.
- Details: The incident response was driven by federal law enforcement actions, leading to arrests and subsequent guilty pleas. The firms involved (Sygnia/DigitalMint) cooperated with the DOJ throughout the investigation.
## Attack Methodology
The provided summary focuses on the legal outcome rather than the technical steps; therefore, standard MITRE ATT&CK categories are inferred based on the ransomware deployment:
- **Initial Access:** Collaboration with a co-conspirator possessing an ALPHV affiliate account.
- **Persistence:** Not explicitly detailed.
- **Privilege Escalation:** Not explicitly detailed, but likely leveraged specialized knowledge to gain necessary permissions.
- **Defense Evasion:** Not explicitly detailed.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Not explicitly detailed, but standard for ransomware deployment.
- **Collection:** Not explicitly detailed.
- **Exfiltration:** Not explicitly detailed (though common in RaaS models, not specifically confirmed as performed by this group beyond encryption).
- **Impact:** Deployment of ALPHV/BlackCat ransomware for extortion.
## Impact Assessment
- Financial: Total losses exceeded **$9.5 million**. Debtors ordered to forfeit $342,000 each, plus potential fines ($250,000 each) and restitution.
- Data Breach: Data compromise type/volume unknown, but encryption and extortion were the primary mechanism.
- Operational: Five organizations were targeted, leading to operational disruption from ransomware deployment.
- Reputational: Significant reputational damage to the security industry, particularly Sygnia and DigitalMint, due to former employees being the perpetrators.
## Indicators of Compromise
*Note: No specific IoCs were provided in the article.*
- **Network indicators:** None provided.
- **File indicators:** Attack utilized the **ALPHV/BlackCat** ransomware variant.
- **Behavioral indicators:** Use of specialized, privileged knowledge to target organizations, suggesting potential abuse of existing security tool access or internal network understanding.
## Response Actions
- **Containment measures:** Primarily driven by law enforcement intervention resulting in arrests.
- **Eradication steps:** Law enforcement action (arrests and prosecution).
- **Recovery actions:** Not detailed, assumed recovery by the five victim organizations post-attack/payment.
## Lessons Learned
- **Insider Threat:** The case underscores the extreme risk posed by trusted insiders abusing their specialized position (public or private trust) and enhanced skill set to facilitate criminal activity.
- **Supply Chain Risk:** Even security vendors tasked with response can harbor individuals posing significant risks.
- **Internal Vetting/Monitoring:** Cybersecurity firms must have robust monitoring and behavioral analysis even for senior technical staff.
## Recommendations
- Enhance background checks and continuous monitoring for privileged accounts, especially for employees transitioning roles or those with deep system knowledge.
- Implement strong access controls ($0 Trust model) even internally, minimizing the potential blast radius of a compromised trusted account.
- Develop and regularly test comprehensive Insider Threat detection programs leveraging behavioral anomaly detection against privileged user activity.