Former Cybersecurity Workers Indicted in BlackCat Ransomware Case

Meta Description: Three former cybersecurity employees face federal charges for BlackCat ransomware attacks on U.S. companies, risking up to 50 years in prison

Three former employees of cybersecurity incident response firms, DigitalMint and Sygnia, have been indicted for allegedly conducting multiple BlackCat (ALPHV) ransomware attacks against five U.S. companies between May 2023 and November 2023. The defendants face serious federal charges, including conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce by extortion, and intentional damage to protected computers.

The individuals named in the indictment are 28-year-old Kevin Tyler Martin of Roanoke, Texas, who has pleaded not guilty; 33-year-old Ryan Clifford Goldberg of Watkinsville, Georgia, who has been in federal custody since September 2023; and an unnamed accomplice. If convicted, the trio could face a combined maximum prison sentence of up to 50 years, including 20 years for each extortion charge and 10 years for intentional computer damage.

According to unsealed court documents reported by the Chicago Sun-Times, Martin previously worked at DigitalMint as a ransomware threat negotiator, a role also held by the unnamed co-conspirator. Goldberg is a former incident response manager at Sygnia. The Department of Justice alleges that the three operated as affiliates of the BlackCat ransomware group, infiltrating the networks of targeted companies, stealing sensitive data, deploying encryption malware, and demanding cryptocurrency payments in exchange for decryption keys and promises not to leak stolen information.

The alleged victims include a Tampa medical device manufacturer, a Maryland pharmaceutical company, a California doctor’s office, a California engineering firm, and a Virginia drone manufacturer. Prosecutors say the attackers demanded ransoms ranging from $300,000 to $10 million, with only one payment of $1.27 million reportedly made by the Tampa medical device company after a $10 million ransom demand in May 2023. It remains unclear whether other victims paid any ransom.

This indictment highlights the growing concern around insider threats in cybersecurity incident response. In 2024, a joint advisory from the FBI, CISA, and HHS warned that BlackCat ransomware affiliates have increasingly targeted U.S. healthcare organizations. The DOJ and FBI have declined to comment on whether this case is connected to previous investigations into ransomware negotiators allegedly profiting from extortion deals.

The scale of BlackCat ransomware attacks is significant. Between November 2021 and March 2022, the FBI linked the group to over 60 breaches during its first four months of activity. By September 2023, BlackCat affiliates had reportedly extorted at least $300 million from more than 1,000 victims, making it one of the most notorious ransomware operations targeting U.S. companies in recent years.

A 2019 ProPublica investigation revealed that some U.S. data recovery firms had secretly paid ransomware groups while charging clients for restoration services without disclosing these payments. This raises questions about ethical practices in cybersecurity incident response and the potential for insider involvement in ransomware schemes.

As ransomware attacks continue to evolve, this indictment serves as a reminder of the growing threat posed by sophisticated criminal groups like BlackCat. Organizations are urged to strengthen cybersecurity measures, monitor insider activity, and prepare for ransomware contingencies to mitigate the risks of data breaches and financial losses.