Full Report
Federal prosecutors in the U.S. have accused a trio of allegedly hacking the networks of five U.S. companies with BlackCat (aka ALPHV) ransomware between May and November 2023 and extorting them. Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed co–conspirator (aka "Co-Conspirator 1") based in Florida, all U.S. nationals, are said to have used the ransomware strain against a medical
Analysis Summary
# Threat Actor: U.S. Insiders (Goldberg, Martin, and Co-Conspirator 1)
## Attribution & Identity
* **Identified Individuals:** Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed co-conspirator ("Co-Conspirator 1").
* **Nationality:** All are U.S. nationals based in Florida.
* **Known Associations/Aliases:**
* Ryan Clifford Goldberg: Formerly an incident response manager for cybersecurity company Sygnia.
* Kevin Tyler Martin and Co-Conspirator 1: Formerly employed as ransomware threat negotiators for the company DigitalMint.
* **Motivation:** Enrichment/Financial gain (accused of conspiring to "enrich" themselves by dividing illicit proceeds; Goldberg allegedly conducted attacks to get out of debt).
## Activity Summary
This group, composed of cybersecurity insiders, is accused of conducting BlackCat (ALPHV) ransomware attacks against five U.S. companies between May and November 2023. The core activity involved gaining unauthorized access, stealing data, deploying the ransomware, and demanding cryptocurrency payments.
Specific incidents detailed:
* **May 13, 2023:** Attack on a medical device firm (Tampa, FL), demanding approx. \$10,000,000; paid approx. \$1,274,000 in virtual currency.
* **May 2023:** Attack on an unspecified firm (Maryland, based on later victim details); ransom demand unspecified.
* **July 2023:** Attack on a doctor's office (California), demanding approx. \$5,000,000.
* **October 2023:** Attack on an engineering company (California), demanding approx. \$1,000,000.
* **November 2023:** Attack on a drone manufacturer (Virginia), demanding approx. \$300,000.
## Tactics, Techniques & Procedures
* **Unauthorized Access/Data Theft:** Accused of accessing victims' networks and stealing their data.
* **Ransomware Deployment:** Successfully installed the BlackCat (ALPHV) ransomware strain on victim systems.
* **Extortion:** Demanded cryptocurrency payments from victims in exchange for decryption/not releasing stolen data.
* **Conspiracy:** Engaged in a willful conspiracy to commit extortion and computer damage.
* **Insider Knowledge:** Leveraged professional roles (incident response manager and threat negotiators) to facilitate the attacks.
## Targeting
* **Sectors:** Medical Device Manufacturing, Pharmaceuticals, Healthcare (Doctor's Office), Engineering, Drone Manufacturing.
* **Geography:** Targeting companies located in the U.S. (Florida, Maryland, California, Virginia).
* **Victims:**
* Medical device company (Tampa, FL)
* Pharmaceutical company (Maryland)
* Doctor's office (California)
* Engineering company (California)
* Drone manufacturer (Virginia)
## Tools & Infrastructure
* **Malware Families Used:** BlackCat (aka ALPHV) ransomware.
* **Infrastructure:** Not explicitly detailed in the provided text, but known to leverage cryptocurrency for ransom payment.
## Implications
This case highlights a significant "insider threat" where trusted cybersecurity professionals allegedly leveraged their network access knowledge and professional roles (negotiators, IR staff) to commit criminal acts. The involvement of actors previously employed by mitigation/negotiation firms (DigitalMint, Sygnia) suggests a deep understanding of victim security postures, potentially leading to highly effective initial intrusions and sophisticated negotiation tactics. The fact that they used a known RaaS like BlackCat but operated independently for personal gain is a notable variation.
## Mitigations
* **Insider Threat Programs:** Implement robust insider threat detection and monitoring programs, especially for employees in sensitive roles (IR, negotiation, recovery services).
* **Access Control Review:** Strictly manage and audit privileged access, ensuring employees only have the necessary access for their roles, even within third-party vendor relationships.
* **Vetting and Off-boarding:** Enhanced background checks and rigorous off-boarding procedures for employees handling sensitive client data or system access.
* **General Ransomware Defenses:** Standard defenses against BlackCat/ALPHV (e.g., strong backups, network segmentation, limiting lateral movement capabilities).