Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 08, 2026 · 6 min read

The People Hired to Stop Ransomware Were Running It—Two Cybersecurity Pros Just Pleaded Guilty

A ransomware negotiator and an incident responder used their trusted positions to deploy ALPHV BlackCat against hospitals, pharma companies, and defense contractors. They face up to 20 years in prison.

Two empty office chairs with security badges left on desks in front of computer monitors in a corporate environment

The Defenders Who Switched Sides

On March 6, 2026, the U.S. Department of Justice announced that two American cybersecurity professionals had pleaded guilty to deploying ALPHV BlackCat ransomware against multiple U.S. organizations. Ryan Goldberg, 40, of Georgia, worked as an incident response manager at cybersecurity firm Sygnia. Kevin Martin, 36, of Texas, was employed as a ransomware negotiator at DigitalMint, a company that helps victims pay ransoms.

Both men spent their professional lives inside the security industry. Goldberg's job was to help companies recover from ransomware attacks. Martin's was to negotiate with the same criminal groups his clients were paying. Between April and December 2023, they used that expertise to run their own ransomware operation.

How the Operation Worked

Goldberg, Martin, and an unnamed third co conspirator gained access to the ALPHV BlackCat ransomware as a service platform. The arrangement was standard for the ransomware economy: the platform operators provided the malware and infrastructure, and the affiliates, in this case the three defendants, carried out the attacks. In return, the operators took a 20% cut of any ransom payments.

The group targeted five organizations:

  • A medical company in Florida
  • A pharmaceutical company in Maryland
  • A doctor's office in California
  • A drone manufacturer in Virginia
  • An engineering company in California

Only one attack produced a payout. The Florida medical company paid approximately $1.2 million in Bitcoin. After sending the operators their 20% share, the three men split the remaining $960,000 and laundered the funds through various channels.

The attack on the California doctor's office took a particularly ugly turn. Patient photos stolen from the practice were published on the BlackCat leak site as leverage to pressure payment.

The Insider Advantage

What makes this case different from a typical ransomware prosecution is the defendants' professional backgrounds. These were not amateur hackers or foreign nationals operating from outside U.S. jurisdiction. They were credentialed security professionals who understood exactly how organizations detect, respond to, and recover from ransomware attacks, because that was their job.

Martin's role as a ransomware negotiator gave him direct insight into how victims make payment decisions, what pressure tactics work, and what security failures lead to successful extortion. Goldberg's incident response work gave him knowledge of how companies detect intrusions, what evidence they collect, and where their defenses are weakest.

Assistant Attorney General Tysen Duva put it directly: the defendants "used their sophisticated cybersecurity training and experience to commit ransomware attacks, the very type of crime that they should have been working to stop."

The Unraveling

The FBI interviewed Goldberg in June 2024 as part of its investigation. Shortly after the interview, Goldberg and his wife purchased one way flights to Paris, a move that prosecutors are likely to cite during sentencing as evidence of consciousness of guilt.

Both Sygnia and DigitalMint distanced themselves from the defendants, stating that neither employee had authorization to conduct the attacks and that the criminal activity was unrelated to their professional work. Both men eventually cooperated with prosecutors and entered guilty pleas to conspiracy to obstruct commerce through extortion.

Sentencing is scheduled for March 12, 2026. Both men face a maximum of 20 years in federal prison.

The ALPHV BlackCat Operation

ALPHV BlackCat was one of the most prolific ransomware as a service operations in recent years, targeting over 1,000 victims globally. The FBI disrupted the operation in December 2023, recovering approximately $99 million in potential ransom payments and distributing decryption keys to hundreds of victims.

The platform operated on a franchise model. Anyone with the technical skills could apply to become an affiliate, receive the ransomware toolkit, and conduct attacks in exchange for a revenue share with the operators. This model lowered the barrier to entry for ransomware significantly. You did not need to build the malware. You just needed access to a target.

For Goldberg and Martin, the barrier was even lower. They already had the skills, the knowledge, and the professional cover. The ransomware platform just gave them the tools.

What This Means for the Security Industry

The insider threat problem is not new, but this case is among the most explicit examples of cybersecurity professionals crossing the line. It raises uncomfortable questions about the trust placed in incident responders, threat analysts, and ransomware negotiators who routinely handle sensitive organizational data and have deep knowledge of defensive gaps.

Organizations that hire incident response firms or ransomware negotiators are sharing their most sensitive security details with those providers: network maps, vulnerability assessments, backup configurations, insurance coverage limits. If the people receiving that information are also operating as ransomware affiliates, the conflict of interest is obvious and the potential for harm is enormous.

The DOJ's prosecution sends a clear message: the cybersecurity industry is not above the law, and professional credentials do not provide cover for criminal activity. Whether that message is enough to deter the next insider is another question entirely.