"The court’s sentences today reflect the damage that these defendants inflicted during their cyberattacks on victim companies throughout the United States," comments the Justice Department’s Criminal Division Assistant Attorney General A. Tysen Duva.
Sentences for Ryan Goldberg and Kevin Martin for 2023 ransomware campaign
On Apr. 30, two American cybersecurity professionals were imprisoned for their roles in a string of 2023 ransomware attacks. The defendants were identified as Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas. Both were sentenced on charges of conspiracy to impede, delay, or impact commerce through extortion in connection with attacks that occurred between April 2023 and December 2023.
The indictment named a third co-conspirator, Angelo Martino, 41, of Florida, who participated in the same activity. According to the account released by the Justice Department, all three deployed ALPHV BlackCat ransomware against victims throughout the United States.
ALPHV BlackCat ransomware and the 20% administrator share
The defendants and their co-conspirator are described as having agreed to a revenue split with the administrators of ALPHV BlackCat. The three attackers accepted terms that required paying a 20% ransom share to ALPHV BlackCat’s administrators, implicitly retaining the remaining 80% of payments they collected from victims.
That 20% arrangement and the use of a known ransomware family are central to the Justice Department’s portrayal of the operation as an organized extortion scheme involving both deployment and profit-sharing mechanics.
The $1.2 million extortion, division of proceeds, and laundering
The court record states that, in one instance, the group extorted a single victim for $1.2 million in Bitcoin. Following that payment, the three defendants divided their 80% share into thirds and laundered the proceeds. The filing links the extortion, division of funds, and money laundering as coordinated steps in the conspiracy.
Justice Department account of victims and misconduct
Assistant Attorney General A. Tysen Duva framed the sentences as a response to concrete harms. He said the defendants "harmed important firms who were providing medical and engineering services," and that they went "so far as to cause the leak of patient data from a doctor’s office victim." Duva added that the defendants "split the ransoms they were paid, and laundered the illicit proceeds."
Duva contrasted the defendants’ professional background with their crimes: "These were supposed to be cybersecurity specialists who did good and helped businesses and people. Instead, they used their high-level cyber skills to feed their greed." He concluded that "Ransomware attackers like this should be punished and removed from society to serve their lawful sentences so they cannot harm others."
What this means for technologists, affected enterprises, and the general public
- Technologists and security teams: The sentencing highlights that the defendants "worked in the cybersecurity industry, giving them unique insights into perpetuating these cybercrimes." Teams that hire or collaborate with external consultants and specialists may take this case as a prompt to reassess insider risk controls and verification practices for people with privileged technical access.
- Affected enterprises and procurement leaders: The Justice Department identified victims that included firms "providing medical and engineering services" and a doctor's office whose patient data was leaked. Organizations that handle sensitive data—particularly in healthcare and engineering—may view this case as a reminder to evaluate incident-response plans, data-protection measures, and contractual protections against insider-assisted compromise.
- The general public and patients: The Justice Department specifically tied the attack to a leak of patient data. For individuals whose records were exposed, the case foregrounds the real-world consequences of ransomware beyond operational disruption—namely damage to privacy and personal information.
The Apr. 30 imprisonments close a chapter in a campaign prosecutors say ran from April through December 2023, involved ALPHV BlackCat deployments across the United States, a structured profit split with ransomware administrators, and the laundering of extorted funds. As the Justice Department put it, the defendants’ cybersecurity backgrounds did not lead to public benefit but instead were used to facilitate extortion and data exposure; prosecutors said those attackers should be removed from society so they cannot harm others.
