"These defendants exploited specialized cybersecurity knowledge not to protect victims, but to extort them," said U.S. Attorney Jason A. Reding Quiñones on Thursday.
Sentencing of two former incident‑response employees
Two former employees of cybersecurity incident response companies were each sentenced to four years in prison for taking part in BlackCat (ALPHV) ransomware attacks on U.S. companies. The defendants are 40‑year‑old Ryan Clifford Goldberg, a former Sygnia incident response manager, and 36‑year‑old Kevin Tyler Martin, a DigitalMint ransomware negotiator. Both were charged in November, pleaded guilty in December to conspiracy to obstruct commerce by extortion, and were identified in court documents as acting as BlackCat affiliates between May 2023 and November 2023.
Affiliate arrangement with BlackCat and revenue sharing
Court filings state that Goldberg and Martin paid a 20% share of ransoms in exchange for access to BlackCat’s ransomware and extortion platform. Prosecutors described payments being laundered and split: in one case, a Tampa medical device company paid $1.27 million after its servers were encrypted and it received a $10 million ransom demand in May 2023, with the payment laundered and split three ways with a third accomplice, 41‑year‑old Angelo Martino, who also pleaded guilty in April. While other breached companies received ransom demands ranging from $300,000 to $10 million, the indictment does not indicate whether those victims made payments.
Industries and victims named in court documents
According to the indictment, the group’s victims included a Maryland pharmaceutical company, a Tampa medical device manufacturer, a California engineering firm, a Virginia drone manufacturer, and a California doctor’s office. The breadth of those targets—medical device manufacturing, pharmaceuticals, engineering, drone manufacturing and clinical practice—appears in court materials describing the affiliates’ activity between May and November 2023.
Federal findings and the FBI’s broader linkage to BlackCat
Prosecutors framed the case around insiders using specialized cybersecurity knowledge to carry out extortion, a point underlined by the U.S. Attorney’s statement. DigitalMint CEO Jonathan Solomon told BleepingComputer earlier this month, after Martino’s guilty plea, that the company "strongly condemn[s] these former employees' criminal behavior, which violated our values, ethical standards, and the law," and that the firm "immediately terminated both individuals" when it learned of the conduct. Separately, the FBI has previously linked the BlackCat ransomware gang to more than 60 breaches between November 2021 and March 2022, and in a separate advisory the bureau said the cybercrime operation collected at least $300 million in ransom payments from more than 1,000 victims through September 2023.
What this means for technologists, policymakers, and affected companies
- Technologists and security teams: The prosecutions center on former incident‑response professionals who allegedly repurposed their expertise to gain access, encrypt systems, and extort victims. The case highlights the specific risk posed by insiders with privileged visibility into networks and negotiations.
- Policymakers and prosecutors: Federal authorities framed the conduct as conspiracy to obstruct commerce by extortion and secured guilty pleas and prison terms; the U.S. Attorney’s public statement and the FBI advisories show law enforcement treating affiliate-driven ransomware activity as a prosecutable focus tied to broad campaign metrics.
- Affected enterprises and procurement leaders: The indictment documents ransom demands ranging from $300,000 to $10 million and at least one payment of $1.27 million that was laundered and split among affiliates, underscoring how negotiations and payments can flow through third parties tied to criminal platforms.
The case brings into sharp relief the convergence of specialized incident‑response knowledge and criminal affiliate models: two former defenders turned affiliates, payments routed through laundering channels, and a federal response that ties individual sentences to the larger BlackCat operation. The record in court documents identifies a discrete period of affiliate activity—May through November 2023—and leaves open how many additional insiders or negotiators may have been implicated in similar schemes.
Original reporting: BleepingComputer — US ransomware negotiators get 4 years in prison over BlackCat attacks




