Full Report
This is not what people mean when they say: 'You should get a side hustle' A ransomware negotiator and an incident response manager at two separate cybersecurity firms have been indicted for allegedly carrying out ransomware attacks of their own against multiple US companies.…
Analysis Summary
# Incident Report: Insider Threat & Extortion Using Ransomware
## Executive Summary
Two cybersecurity professionals, a ransomware negotiator and an incident response manager from separate firms, were indicted for orchestrating their own ransomware attacks against multiple US companies between May and November 2023. The actors allegedly stole data and deployed ALPHV/BlackCat ransomware, successfully extorting one victim for over \$1.2 million, while the other victims did not pay. The involved firms cooperated with law enforcement following the termination of the implicated employees.
## Incident Details
- Discovery Date: Indictment filed October 2, 2025 (Reporting date is Nov 3, 2025)
- Incident Date: May 2023 – November 2023
- Affected Organization: Five US companies (Specific names redacted in source, referenced as Victim 1, 2, 3, 4, 5)
- Victim 1: Medical Device Company (Tampa, Florida)
- Victim 2: Pharmaceutical Firm (Maryland)
- Victim 3: Doctor's Office (California)
- Victim 4: Engineering Company (California)
- Victim 5: Drone Manufacturer (Virginia)
- Sector: Multiple (Medical Devices, Pharmaceuticals, Healthcare Services, Engineering, Manufacturing)
- Geography: Multiple US States (FL, MD, CA, VA)
## Timeline of Events
### Initial Access
- Date/Time: First intrusion occurred around May 13, 2023.
- Vector: Not detailed in the provided source material, though the perpetrators were highly experienced in security operations.
- Details: The indictment suggests the perpetrators used their existing knowledge/access methods to compromise corporate networks.
### Lateral Movement
- Details: Attackers navigated the compromised networks to identify sensitive data and deployment targets.
### Data Exfiltration/Impact
- Details: Sensitive data was reportedly stolen prior to encryption. The ALPHV/BlackCat ransomware was deployed against target servers, resulting in encryption.
### Detection & Response
- Date/Time: Attacks occurred between May and November 2023. Detection appears to have been external, culminating in the federal indictment.
- Response actions taken: Law enforcement (FBI) investigation led to the indictment. Affected companies (though not the primary target of the indictment filing) likely engaged their internal IR teams or external partners for remediation once encryption occurred. The employing firms (DigitalMint and Sygnia) terminated the suspects immediately upon learning of the situation and cooperated with the FBI.
## Attack Methodology
*(Note: Specific technical details are sparse, relying on the general nature of ransomware attacks by sophisticated actors.)*
- Initial Access: Not specified in detail, presumed sophisticated based on perpetrator profiles.
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Implied, necessary for deployment and data theft.
- Discovery: Internal reconnaissance on victim networks.
- Lateral Movement: Implied, necessary to spread ransomware and access sensitive data.
- Collection: Theft of sensitive data prior to encryption.
- Exfiltration: Data was stolen prior to encryption stage.
- Impact: Encryption using ALPHV/BlackCat malware, followed by extortion demands.
## Impact Assessment
- Financial: One victim paid a ransom equivalent to approximately **$1,274,000** in virtual currency. Total demands exceeded tens of millions of dollars across all targets.
- Data Breach: Sensitive data was stolen from multiple companies.
- Operational: Encryption impacted the operations of at least one victim (Medical Device Company).
- Reputational: Severe reputational damage to the employing cybersecurity firms (DigitalMint, Sygnia) due to insider threat involvement, although both firms stated they were cooperating and not investigative targets.
## Indicators of Compromise
*(No specific IOCs were provided in the summary, as the focus was on the indictment and insider basis.)*
- Network indicators: N/A
- File indicators: ALPHV/BlackCat ransomware utilized.
- Behavioral indicators: Extortion focused on data theft plus encryption.
## Response Actions
- Containment measures: Not detailed for the victims, but the perpetrators were removed from employment immediately upon discovery by their respective firms.
- Eradication steps: N/A for the perpetrators, but victims would have required standard ransomware eradication procedures.
- Recovery actions: At least one victim paid the ransom; the fate of the others is unknown.
## Lessons Learned
- **Insider Threat Risk (High Priority):** Individuals in highly trusted roles (negotiators, IR managers) pose an extreme risk if malicious intent develops, as they possess deep knowledge of security protocols and victim vulnerabilities.
- **Supply Chain Risk:** Employment at trusted cybersecurity firms does not guarantee vetting immunity; conflicts of interest and monitoring of employee activities remain critical, even for security personnel.
- **Ransomware Ecosystem:** The involvement of actors tied to established ransomware services (even if the service itself is defunct or opportunistic) indicates sophisticated toolkits were used.
## Recommendations
- **Enhanced Vetting & Monitoring:** Implement strict, continuous monitoring of network activity for all privileged employees, especially those handling sensitive incident response tools or client environments.
- **Strict Conflict of Interest Policies:** Reiterate and enforce policies prohibiting employees from engaging in activities that mimic or profit from the threats they are hired to defend against.
- **Zero Trust Architecture:** Limit the scope of access for all personnel, ensuring that even high-level IR staff and negotiators have access strictly limited to what is necessary for their current, active engagement.