In a case that has shaken the cybersecurity world, three U.S. professionals have been accused of collaborating with the infamous ALPHV/BlackCat ransomware gang to extort companies across the United States. According to federal prosecutors, the accused infiltrated the networks of several organizations and used their cybersecurity knowledge to encrypt systems and demand multimillion-dollar payments in cryptocurrency in exchange for unlocking the data. This case highlights not only the growing threat of ransomware attacks but also how attackers can use their cybersecurity skills to collaborate with the ALPHV/BlackCat gang and commit crimes.
Between May 2023 and April 2025, the accused worked with the ALPHV/BlackCat ransomware gang, infiltrating at least five companies and demanding payments in cryptocurrency. This ransomware group is known for its sophistication and is responsible for numerous global attacks. By joining the ALPHV/BlackCat gang, the accused used their expertise to carry out the extortion attacks that marked this case.
The Accused and Their Roles
The accused in this case are Ryan Clifford Goldberg, 34, from Watkinsville, Georgia, and Kevin Tyler Martin, 38, from Roanoke, Texas. Goldberg worked as an incident response director at Sygnia Consulting Ltd., a cybersecurity firm based in Israel, while Martin was a ransomware negotiator at DigitalMint, a cryptocurrency payment company based in Chicago. A third conspirator, whose identity has not been revealed, was also part of the plot and, like Martin, worked as a ransomware negotiator at DigitalMint.
The case was brought by federal prosecutors in a Southern Florida district court in October 2023. According to the indictment, between May 2023 and April 2025, the three individuals conspired with the ALPHV/BlackCat ransomware gang to conduct cyberattacks against at least five companies in different states, using ransomware provided by the ALPHV/BlackCat gang to demand multimillion-dollar payments in cryptocurrency. The accused exploited their access to privileged information and their cybersecurity experience to collaborate with the ALPHV/BlackCat gang, a group known for its sophistication and ability to carry out devastating attacks.
ALPHV/BlackCat: The Ransomware Gang Behind the Attacks
ALPHV, also known as the ALPHV/BlackCat ransomware gang, is one of the most feared ransomware groups in the world. This criminal organization operates under the Ransomware-as-a-Service (RaaS) model, meaning they rent their malicious software to other cybercriminals to carry out attacks. The ALPHV/BlackCat ransomware gang is known for being extremely sophisticated and for demanding large sums of money in cryptocurrency in exchange for decrypting compromised systems.
The ALPHV/BlackCat gang uses a software known as ALPHV, which is a highly complex virus designed to encrypt the computer systems of its victims and leave them without access to their essential data. Unlike other ransomware groups, the ALPHV/BlackCat gang has managed to bypass many organizations' defense systems through its use of advanced cryptography and evasion techniques. One of their most effective methods is double extortion, where they not only demand a ransom to release the systems but also threaten to publish the stolen data if the demanded amount is not paid.
The modus operandi of the ALPHV/BlackCat gang has included high-profile attacks against organizations worldwide, including hospitals, universities, major tech corporations, and law firms. The gang's flexibility in renting its infrastructure to other cybercriminals has allowed it to expand rapidly and carry out large-scale global attacks.
One of the gang's most notorious attacks was against Change Healthcare, a major healthcare company in the United States. The attack compromised sensitive information of approximately 190 million people, including the theft of medical and financial data. The attack resulted in a ransom payment of $22 million, the largest ransom paid by a healthcare organization to date.
The Strategy of the Accused
According to the indictment, the three conspirators used their legitimate roles in cybersecurity to infiltrate the victims' networks and launch ransomware attacks. Goldberg, as the incident response director at Sygnia, had in-depth knowledge of vulnerabilities in companies' systems and how to protect against cyberattacks. However, instead of helping organizations defend themselves, Goldberg seemingly used this information to attack the same companies he was supposed to protect, collaborating with the ALPHV/BlackCat gang.
Meanwhile, Martin, as a ransomware negotiator at DigitalMint, was tasked with helping victims negotiate ransom payments. However, prosecutors argue that Martin used this access to coordinate ransom payments with the ALPHV/BlackCat gang, thus obtaining a share of the loot. A third conspirator, whose name has not been revealed, also had access to ransom payments and played a role in negotiating with the victims, working alongside the ALPHV/BlackCat gang.
Prosecutors allege that starting in May 2023, the three began using their knowledge and privileged access to carry out their own ransomware attacks, utilizing malicious software provided by the ALPHV/BlackCat gang. During this time, they attacked at least five companies, including organizations in Florida, California, Virginia, and Maryland. One of the most notable cases was the attack on a medical device manufacturer based in Tampa, where the attackers demanded a ransom of approximately $1.3 million in cryptocurrency, which was later shared with the developers of the ALPHV/BlackCat ransomware gang.
The accused were captured thanks to a thorough investigation conducted by federal authorities, which included analyzing cryptocurrency transactions and collaborating with cybersecurity companies that provided details about the techniques used by the attackers. Prosecutors emphasize that while the three accused worked in the cybersecurity industry, their behavior was completely outside the scope of their professional duties, and in this case, they worked closely with the ALPHV/BlackCat ransomware gang.
The Impacts of the Attacks
The impact of these ransomware attacks is not limited to just data loss. For the affected companies, the attacks mean a significant disruption of operations, a loss of customer trust, and, in many cases, major financial losses. The companies targeted by this attack were not publicly identified by the prosecutors, but it is known that they included businesses from critical sectors such as medical device manufacturing, pharmaceuticals, and engineering, all of which were attacked by the ALPHV/BlackCat ransomware gang.
For example, the attack on the medical device company in Tampa had repercussions not only in financial terms but also in the integrity of healthcare infrastructure. Disruptions to these companies' computer systems can delay the production of essential products or compromise the quality of services provided, putting people’s lives at risk. This situation has also raised growing concerns in the healthcare field, as many hospitals and medical centers have been affected by similar attacks carried out by the ALPHV/BlackCat ransomware gang, jeopardizing the security of patient data.
On the other hand, ransomware attacks, like those carried out by the ALPHV/BlackCat ransomware gang, also impact consumer and business partner trust. When a company is attacked, it not only faces the costs of ransom payments and system restoration but must also deal with the loss of reputation. Customers and business partners may hesitate to continue working with a company that has been the victim of a cyberattack, especially if their personal data has been compromised by the ALPHV/BlackCat ransomware gang.
The Response of the Involved Companies
Both Sygnia and DigitalMint have cooperated with federal authorities since the case was revealed. Both companies have stated that their former employees involved in the case acted without the knowledge or consent of the companies and that their actions were entirely outside the scope of their employment, especially when collaborating with the ALPHV/BlackCat ransomware gang.
Sygnia, in a statement, explained that Goldberg was fired from the company as soon as his involvement in the attacks carried out by the ALPHV/BlackCat ransomware gang became known. The firm emphasized that it was not a victim of any attack and has been fully cooperating with authorities in the investigation of the ALPHV/BlackCat ransomware gang. For its part, DigitalMint also confirmed that one of its former employees, Martin, was involved in the case related to the ALPHV/BlackCat ransomware gang and clarified that his behavior was completely outside the functions for which he was hired. The company stressed that no customer data was compromised as part of the criminal activity of the ALPHV/BlackCat ransomware gang and that the company was not under investigation for its links with the gang.
Both companies have expressed their willingness to cooperate with the investigations to clarify the facts and ensure that their former employees are prosecuted according to the law. This also highlights the importance of maintaining a corporate culture based on ethics and responsibility, and taking steps to ensure that employees do not use their technical knowledge for illicit purposes, as was done when working with the ALPHV/BlackCat ransomware gang.
The Future of the Case
Ryan Goldberg and Kevin Martin face serious charges, including conspiracy to interfere with commerce through extortion and intentional damage to protected computer systems. Goldberg has been detained while awaiting trial, while Martin has pleaded not guilty to the charges against him. As for the third conspirator, authorities continue to investigate his involvement, but no formal charges have been presented against him in relation to his collaboration with the ALPHV/BlackCat ransomware gang.
The case has also highlighted the growing threat posed by ransomware attacks in the digital world. Increasingly, ransomware gangs, like the ALPHV/BlackCat ransomware gang, are resorting to sophisticated tactics and collaborating with legitimate players in the cybersecurity industry to carry out their attacks. This type of case could lead to greater scrutiny of practices within the cybersecurity industry and increased surveillance of professionals working in this field, especially those like Goldberg and Martin, who directly collaborated with the ALPHV/BlackCat ransomware gang.
This case serves as a reminder of the vulnerability of organizations, even those that rely on cybersecurity experts to protect their data. The attackers may not only be simple hackers, but also individuals with extensive knowledge and access to the networks of companies, allowing them to execute more precise and devastating attacks. The collaboration of former cybersecurity professionals with the ALPHV/BlackCat ransomware gang raises questions about ethics and responsibility in the cybersecurity field, and underscores the need for greater regulation and oversight to prevent similar cases from happening in the future.
This case also highlights the global threat of ransomware and the growing sophistication of attacks. Organizations must be more prepared than ever to protect themselves against this type of cyber threat, as attackers continue to adapt and improve their methods. Ultimately, cybersecurity education and prevention will be key to preventing more companies from falling into the clutches of cybercriminals, especially groups as dangerous as the ALPHV/BlackCat ransomware gang.
The ongoing investigation could also provide new lessons on how attackers infiltrate companies and use their legitimate knowledge and tools to carry out illegal activities. Without a doubt, this case will leave a mark on the world of cybersecurity and could be a turning point for strengthening security within the industry. Authorities must continue to take action to identify and dismantle criminal networks like BlackCat and other ransomware gangs to reduce the risk of future attacks.
If your company wishes to strengthen its security against threats like those posed by the ALPHV/BlackCat ransomware gang, it is crucial to seek advice from experienced professionals. At ITD Consulting, we offer advanced cybersecurity solutions to protect your technological infrastructure and prevent cyberattacks. Contact us today at [email protected] for personalized advice and to ensure the protection of your business.
EN 
ES