Former Cybersecurity Professionals Plead Guilty in BlackCat Ransomware Scheme

Two former employees of prominent cybersecurity incident response firms have pleaded guilty to participating in BlackCat (ALPHV) ransomware attacks that targeted U.S. companies in 2023, federal prosecutors said.

Ryan Clifford Goldberg, 33, of Watkinsville, Georgia, and Kevin Tyler Martin, 28, of Roanoke, Texas, admitted to conspiring to obstruct commerce by extortion. Both face sentences of up to 20 years in prison, with sentencing scheduled for March 12, 2026.

Goldberg, a former incident response manager at Sygnia, and Martin, who previously worked as a ransomware negotiator at DigitalMint, allegedly leveraged their professional expertise to breach victim networks while operating as affiliates of the BlackCat ransomware group.

Between May and November 2023, the defendants — along with an unnamed third accomplice — targeted multiple U.S.-based organizations, including a pharmaceutical company in Maryland, an engineering firm in California, a medical device manufacturer in Tampa, a drone manufacturer in Virginia, and a California medical practice.

As BlackCat affiliates, they received access to the group’s ransomware and extortion platform in exchange for paying a 20% share of any ransom proceeds.

According to court documents, the group demanded ransoms ranging from $300,000 to $10 million. Prosecutors confirmed at least one payment: $1.27 million paid by the Tampa medical device manufacturer after its servers were encrypted in May 2023. The indictment does not specify whether other ransom demands resulted in additional payments.

“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very crimes they were trusted to prevent,” said Assistant Attorney General A. Tysen Duva, emphasizing the broader harm caused by online extortion schemes.

The case adds to growing scrutiny of insider risk within the cybersecurity industry.

In mid-2023, the Justice Department separately investigated a former DigitalMint negotiator for alleged ties to ransomware groups, though officials have not confirmed whether the investigations are related.

Federal authorities have since disrupted BlackCat’s operations. In December 2023, the Federal Bureau of Investigation breached BlackCat’s servers, developed a decryption tool, and obtained keys that allowed victims to recover encrypted data. The FBI estimates the group collected at least $300 million in ransom payments from more than 1,000 victims before September 2023.

In a February 2024 joint advisory, the FBI, Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services warned that BlackCat affiliates were disproportionately targeting organizations in the U.S. healthcare sector.