Full Report
Ryan Goldberg and Kevin Martin attacked five companies in 2023 and extorted nearly $1.3 million from one of their victims. The post Former incident responders sentenced to 4 years in prison for committing ransomware attacks appeared first on CyberScoop.
Analysis Summary
# Incident Report: Insider Threat & ALPHV/BlackCat Ransomware Collaboration
## Executive Summary
In 2023, two high-level cybersecurity professionals, Ryan Goldberg (Incident Response Manager) and Kevin Martin (Ransomware Negotiator), exploited their specialized skills and insider access to conduct ransomware attacks against five U.S. companies. Utilizing ALPHV/BlackCat ransomware, the duo successfully extorted $1.3 million from a medical firm and leaked sensitive patient data. Both individuals were sentenced to four years in federal prison in April 2026.
## Incident Details
- **Discovery Date:** June 2023 (FBI interviews and subsequent flight)
- **Incident Date:** May 2023 – October 2023
- **Affected Organizations:** Medical company (FL), Pharmaceutical company (MD), Doctor's office (CA), Engineering company (CA), Drone manufacturer (VA)
- **Sector:** Healthcare, Pharmaceutical, Engineering, Manufacturing
- **Geography:** United States (Florida, Maryland, California, Virginia)
## Timeline of Events
### Initial Access
- **Date/Time:** May 2023
- **Vector:** Exploitation of specialized cybersecurity knowledge and internal access.
- **Details:** The attackers collaborated with Angelo John Martino III, who shared confidential information from his role as a ransomware negotiator to facilitate the breaches.
### Lateral Movement
- **Details:** The attackers leveraged "high-level cyber skills" to navigate networks and identify critical systems and sensitive data stores for encryption.
### Data Exfiltration/Impact
- **Details:** Sensitive patient data was exfiltrated from a California doctor's office and subsequently leaked to pressure the victim. $1.3 million in cryptocurrency was extorted from a Florida medical company.
### Detection & Response
- **June 2023:** FBI interviewed Goldberg; Goldberg fled the U.S. 10 days later.
- **Sept 22, 2023:** Goldberg arrested in Mexico City after traveling through 10 countries.
- **October 2023:** Martin arrested by federal authorities.
- **April 2026:** Goldberg and Martin sentenced to 48 months in prison.
## Attack Methodology
- **Initial Access:** Insider knowledge and collaboration with a negotiator (Martino) who provided victim intelligence.
- **Persistence:** Not explicitly detailed, but likely utilized standard ALPHV affiliate toolsets.
- **Privilege Escalation:** Exploited "specialized cybersecurity knowledge."
- **Defense Evasion:** Goldberg attempted to evade authorities by fleeing to Europe/Mexico.
- **Credential Access:** Used confidential information about victim organizations' internal negotiating positions.
- **Lateral Movement:** Movement within professional services networks.
- **Collection:** Targeting of patient data and engineering files.
- **Exfiltration:** Double extortion (encryption + data leak).
- **Impact:** Deployment of ALPHV/BlackCat ransomware to lock critical systems.
## Impact Assessment
- **Financial:** $1.3 million extorted from one victim; Martino (co-conspirator) linked to $75.3 million in total damages.
- **Data Breach:** Leak of sensitive medical patient data.
- **Operational:** "Critical systems" were locked down, causing business disruption for medical and engineering firms.
- **Reputational:** Breach of trust by incident responders and negotiators hired to protect the victims.
## Indicators of Compromise
- **Network indicators:** Activity associated with ALPHV/BlackCat infrastructure (e.g., communications with known C2 servers - [defanged] hxxps[://]alphv[.]onion).
- **File indicators:** `.blackcat` or random character extensions on encrypted files.
- **Behavioral indicators:** Unauthorized access to insurance policy limits and confidential negotiation documents by internal staff.
## Response Actions
- **Containment:** Federal Law Enforcement (FBI) tracking of suspects across international borders.
- **Eradication:** Removal of ALPHV ransomware payloads.
- **Recovery:** Prosecution of the offenders; sentencing to 4 years imprisonment and asset seizure.
## Lessons Learned
- **Vetting of Third Parties:** The incident highlights a massive conflict of interest and lack of oversight in the ransomware negotiation industry.
- **Insider Threat Management:** Even highly trusted IR managers can become malicious actors (the "poacher turned gamekeeper" scenario).
- **The "Dark Gray" Market:** Ransomware negotiation firms require stricter regulatory oversight to prevent negotiators from playing "both sides."
## Recommendations
- **Zero Trust Architecture:** Implement strict "Least Privilege" access, even for senior incident response staff.
- **Separation of Duties:** Ensure that those negotiating ransoms do not have administrative or technical access to the environments they are "defending."
- **Encryption of Negotiation Strategy:** Protect internal insurance documents and negotiation thresholds with the same level of security as sensitive PII.
- **Enhanced Monitoring:** Implement Behavioral Analytics (UBA) to detect when authorized users access data unrelated to their current assigned tasks.