Two former cybersecurity professionals who moonlighted as cybercriminals, committing a series of ransomware attacks in 2023, were each sentenced to four years in prison, the Justice Department said Thursday.

Ryan Clifford Goldberg and Kevin Tyler Martin previously pleaded guilty to one of three charges brought against them in December and faced up to 20 years behind bars. 

Goldberg, who was a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint at the time, collaborated with Angelo John Martino III to attack victim computers and networks and use ALPHV, also known as BlackCat, ransomware to extort payments.

“These defendants exploited specialized cybersecurity knowledge not to protect victims, but to extort them,” Jason A. Reding Quiñones, U.S. attorney for the Southern District of Florida, said in a statement. “They used ransomware to lock down critical systems, steal sensitive data, and pressure American businesses into paying to regain access to their own information.”

Victims impacted by the attacks Goldberg and Martin participated in over a six-month period in 2023 included a medical company based in Florida, a pharmaceutical company based in Maryland, a California doctor’s office, an engineering company based in California and a drone manufacturer in Virginia. 

“They harmed important firms who were providing medical and engineering services. They played hardball with them, going so far as to cause the leak of patient data from a doctor’s office victim,” A. Tysen Duva, assistant attorney general of the Justice Department’s criminal division, said in a statement.

“These were supposed to be cybersecurity specialists who did good and helped businesses and people. Instead, they used their high-level cyber skills to feed their greed. Ransomware attackers like this should be punished and removed from society to serve their lawful sentences so they cannot harm others,” Duva added.

Goldberg and Martin received identical sentences for their crimes, despite significant differences surrounding their initial arrests. Martin was arrested without incident in October and freed on bond later that month.

Goldberg fled the country in June, 10 days after he was interviewed by the FBI. He was arrested Sept. 22 and ordered to remain in custody pending trial due to flight risk. 

Goldberg and his wife boarded a one-way flight to Paris from Atlanta on June 27 and remained in Europe until Sept. 21. When Goldberg flew directly from Amsterdam to Mexico City, he was arrested upon landing and deported to the United States.

“When Goldberg sought to flee abroad and escape prosecution, the FBI tracked him through 10 countries, demonstrating the lengths we will go to hold cyber criminals accountable and protect victims,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement.

The cases against Golberg, Martin and their co-conspirator Martino showcase an extreme, albeit rare, example of the dark underbelly of ransomware negotiation as a practice. The pitfalls of ransomware negotiation are excessive and these backchannel negotiations, which remain largely unscrutinized, can go awry for various reasons.

Goldberg, 40, and Martin, 36, extorted a $1.3 million ransom payment from the medical company with Martino in May 2023, but did not receive ransom payments from their other victims.

Martino’s ransomware scheme went much further and caused significantly more damage, helping accomplices extort a combined $75.3 million in ransom payments. Five of Martino’s victims hired DigitalMint, which assigned the 41-year-old to conduct ransomware negotiations on their clients’ behalf — a rare position he exploited to play both sides.

He pleaded guilty earlier this month to sharing confidential information about victim organizations’ internal negotiating positions and insurance policy limits he gained from his work as a ransomware negotiator to extract the maximum ransom payment for himself and other BlackCat affiliates.

The five U.S.-based victims that hired DigitalMint and unwittingly tapped Martino to allegedly conduct ransomware negotiations with himself and his co-conspirators include a nonprofit and companies in the hospitality, financial services, retail and medical industries. All five of those victims paid a ransom.

Martino surrendered in March to the U.S. Marshals in Miami and was released on a $500,000 bond. He faces up to 20 years in federal prison and is scheduled for sentencing July 9.

Sygnia and DigitalMint are not accused of any knowledge or involvement in the crimes, and both previously said they fired their former employees once federal authorities alerted the companies to their alleged crimes. 

ALPHV/BlackCat was a notorious ransomware and extortion group linked to a series of attacks on critical infrastructure providers. The ransomware variant first appeared in late 2021, and was later used in dozens of attacks on organizations in the health care sector.

The group behind the ransomware strain also claimed responsibility for the February 2024 attack on UnitedHealth Group subsidiary Change Healthcare, which paid a $22 million ransom and became the largest health care data breach on record, compromising data on about 190 million people.

The post Former incident responders sentenced to 4 years in prison for committing ransomware attacks appeared first on CyberScoop.

A South Florida man pleaded guilty to conspiring with multiple ransomware affiliates to commit attacks against and extort payments from the same U.S. companies he represented as a ransomware negotiator for DigitalMint in 2023, the Justice Department said Monday.

Angelo John Martino III shared confidential information about victim organizations’ internal negotiating positions and insurance policy limits he gained from his work as a ransomware negotiator to extract the maximum ransom payment for himself and other BlackCat affiliates, according to his plea agreement.

Five of Martino’s victims hired DigitalMint, which assigned the 41-year-old to conduct ransomware negotiations on their clients’ behalf — a rare position he exploited to play both sides. DigitalMint, which is not accused of any knowledge or involvement in the crimes, fired Martino the day after the Justice Department informed the company they were investigating him in April 2025. 

The five U.S.-based victims that hired DigitalMint and unwittingly tapped Martino to allegedly conduct ransomware negotiations with himself and his co-conspirators include a nonprofit and companies in the hospitality, financial services, retail and medical industries. All five of those victims paid a ransom.

Prosecutors previously said Martino helped accomplices extort a combined $75.3 million in ransom payments, including a nearly $26.8 million payment from the unnamed nonprofit, and a nearly $25.7 million payment from the unnamed financial services company. 

Martino also admitted to conspiring with Kevin Tyler Martin, another former ransomware negotiator at DigitalMint, and Ryan Clifford Goldberg, a former manager of incident response at Sygnia, to deploy BlackCat ransomware, also known as ALPHV, against five additional U.S. companies between April and November 2023. 

Goldberg and Martin pleaded guilty in December to participating in a series of ransomware attacks and are scheduled for sentencing April 30.

“Angelo Martino’s clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims,” A. Tysen Duva, assistant attorney general at the Justice Department’s Criminal Division, said in a statement. “Instead, he betrayed them and began launching ransomware attacks himself by assisting cybercriminals and harming victims, his own employer, and the cyber incident response industry itself.”

The case against Martino showcases an extreme, albeit rare, example of the dark underbelly of ransomware negotiation as a practice. The pitfalls of ransomware negotiation are excessive and these backchannel negotiations, which remain largely unscrutinized, can go awry for various reasons. 

Officials shared a series of chats Martino held with co-conspirators and his victims that exemplify the lengths he went to betray DigitalMint’s clients and empower his accomplices with crucial tips for a successful negotiation strategy.

DigitalMint did not respond to a request for comment on Martino’s guilty plea.

Negotiation chats exemplify Martino’s crimes

During an incident response with one of his victims, Martino told a BlackCat affiliate the company’s insurance carrier “was only approving small accounts,” according to his plea agreement. “Keep denying our offers and I will let you know once I find out the max the[y] want to pay,” he added.

“We don’t know how you came up with your demand but we are losing money operationally and all of our loans are going to turnover on us this year at double the interest rates,” Martino said in a negotiation chat visible to DigitalMint and the victim organization in the hospitality industry. “We are able to give you $1 million now, which is a very serious offer.”

Following Martino’s instructions, the BlackCat accomplice responded: “Well, you can keep that for the penalties and lawsuits which are coming your way in case we expose you. Time is ticking — we know how much you can pay. Contact your insurance. We know about them also. Stop wasting time.”

That victim company ultimately paid a ransom worth nearly $16.5 million at the time to receive a decryptor and the BlackCat affiliate’s commitment to not publish stolen data. The two other victims Martino represented via DigitalMint at the time paid $6.1 million and $213,000 ransoms for similar commitments.

“Ransomware victims turned to this defendant for help, and he sold them out from the inside,” Jason A. Reding Quiñones, U.S. attorney for the Southern District of Florida, said in a statement.

Martino received a portion of the ransomware payments for his involvement in the conspiracy.

Authorities have seized $10 million in assets and cryptocurrency wallets controlled by Martino. Law enforcement seized multiple vehicles, a food truck and a 29-foot luxury fishing boat that he obtained using proceeds from his crimes.

Officials also seized two properties owned by Martino in Nokomis, Florida, including a bayfront home with an estimated value of $1.68 million and a second single-family home with an estimated value of $396,000. 

Martino surrendered in March to the U.S. Marshals in Miami and was released on a $500,000 bond.

“The FBI works every day to dismantle the ransomware ecosystem,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement. “That includes apprehending key facilitators like Angelo Martino, who abused the trust placed in him as a private sector negotiator by collaborating with ransomware criminals.”

ALPHV/BlackCat was a notorious ransomware and extortion group linked to a series of attacks on critical infrastructure providers. The ransomware variant first appeared in late 2021, and was later used in dozens of attacks on organizations in the health care sector.

The group behind the ransomware strain also claimed responsibility for the February 2024 attack on UnitedHealth Group subsidiary Change Healthcare, which paid a $22 million ransom and became the largest health care data breach on record, compromising data on about 190 million people.

Martino pleaded guilty to conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion. He faces up to 20 years in federal prison and is scheduled for sentencing July 9.

You can read Martino’s plea agreement below.

The post Former DigitalMint ransomware negotiator pleads guilty to extortion scheme appeared first on CyberScoop.

A 41-year-old South Florida man is accused of conducting at least 10 ransomware attacks and helping accomplices extort a combined $75.25 million in ransom payments while he was working as a ransomware negotiator for DigitalMint. 

Five of Angelo John Martino III’s alleged victims hired DigitalMint, which assigned Martino to conduct ransomware negotiations on their clients’ behalf — putting him in a position to play both sides, as the criminal responsible for the attack and the lead negotiator for his alleged victims, according to federal court records unsealed Wednesday.

Martino allegedly obtained an affiliate account on ALPHV, also known as BlackCat, and conspired with other former cybersecurity professionals to break into victims’ networks, steal and encrypt data, and extort companies for ransoms over a six-month period in 2023.

Martino was an unnamed co-conspirator in an indictment filed in November 2025 against Kevin Tyler Martin, another former ransomware negotiator at DigitalMint, and Ryan Clifford Goldberg, a former manager of incident response at Sygnia. Goldberg and Martin pleaded guilty in December to participating in a series of ransomware attacks and are scheduled for sentencing April 30.

Prosecutors accuse Martino of providing confidential information regarding ransomware negotiations to ALPHV co-conspirators to maximize the ransom payment. His attorney did not immediately respond to a request for comment.

The five U.S.-based victims that hired DigitalMint and unwittingly tapped Martino to allegedly conduct ransomware negotiations with himself and his co-conspirators include a nonprofit and companies in the hospitality, financial services, retail and medical industries. All five of those victims paid a ransom.

Goldberg and Martin were not specifically named as co-conspirators in those attacks. Prosecutors previously said they only successfully extorted a financial payment from one of their victims for nearly $1.3 million.

Cybersecurity firm that employed Martino responds

DigitalMint said they suspended Martino’s access to systems when the Justice Department notified the company they were investigating him on April 3 and fired him the next day. The company, which is not accused of any knowledge or involvement with the crimes, added it was not aware that Martino and Martin were already involved in ransomware-related schemes before they were hired. 

“We strongly condemn these former employees’ criminal behavior, which violated our values, ethical standards and the law,” DigitalMint CEO Jonathan Solomon said in a statement to CyberScoop.

“DigitalMint has fully cooperated with law enforcement from the outset and does not expect further charges,” Solomon added. “While no organization can completely eliminate insider risk, we take incidents like this extremely seriously and have strengthened safeguards and internal controls to further reduce the likelihood of similar conduct.”

DigitalMint did not directly answer questions about whether it refunded its clients who were allegedly victimized by Martino. “We are not able to discuss specific client relationships or fee arrangements due to confidentiality obligations,” a spokesperson said in a statement. “We remain committed to our clients and have addressed any commercial matters directly with those parties.”

The company also declined to describe the circumstances under which it was hired and assigned Martino to conduct ransomware negotiations on the attacks he allegedly committed. Yet, in a statement it noted: “The charging documents do not allege that Martino referred or brought these victims to DigitalMint.”

The case against Martino showcases an extreme, albeit rare, example of the dark underbelly of ransomware negotiation as a practice. The pitfalls of ransomware negotiation are excessive and these backchannel negotiations, which remain largely unscrutinized, can go awry for various reasons. 

Authorities seize about $12M in assets, set $500K bond

Martino is charged with conspiracy to interfere with commerce by extortion and faces up to 20 years in prison. He is scheduled to enter a plea March 19. 

Authorities seized nearly $9.2 million in five types of cryptocurrency from 21 wallets controlled by Martino. Other items seized from Martino include a 1999 Nissan Skyline, a 2024 Polaris RZR, a 2023 trailer and a 29-foot boat manufactured in 2023.

Officials also seized two properties owned by Martino in Nokomis, Florida, including a bayfront home with an estimated value of $1.68 million and a second single-family home with an estimated value of $396,000. The bayfront home was reported as the second-largest real estate transaction of the week when Martino and his wife purchased the home for $1.791 million in February 2024.

Martino surrendered to the U.S. Marshals in Miami Tuesday and was released on a $500,000 bond. He is restricted from traveling outside the Southern District of Florida and is prohibited from working in the cybersecurity industry.

ALPHV/BlackCat was a notorious ransomware and extortion group linked to a series of attacks on critical infrastructure providers. The ransomware variant first appeared in late 2021, and was later used in dozens of attacks on organizations in the health care sector.

The group behind the ransomware strain also claimed responsibility for the February 2024 attack on UnitedHealth Group subsidiary Change Healthcare, which paid a $22 million ransom and became the largest health care data breach on record, compromising data on about 190 million people.

Two of Martino’s alleged victims paid even higher ransoms in 2023, according to prosecutors, including a nearly $26.8 million payment from the unnamed nonprofit, and a nearly $25.7 million payment from the unnamed financial services company.

You can read the formal charge prosecutors filed against Martino below.

The post Feds say another DigitalMint negotiator ran ransomware attacks and helped extort $75 million appeared first on CyberScoop.

Ransomware negotiation is a dark but widely acknowledged reality in the cybersecurity industry — one that many argue is a necessary practice, even if it largely occurs out of sight. Brokering payments and terms with cybercriminals who hold organizations’ data and operations hostage places security professionals in a fraught position that requires them to balance a responsibility to meet their clients’ needs without fueling the spread of financially-motivated crime.

The pitfalls of ransomware negotiation are excessive — pinning the goals of cybercrime against victims and incident response firms that typically face no good options. Negotiators are charged with ensuring their clients don’t break any laws by financially supporting sanctioned criminals, but they also have to consider the lines they won’t cross without betraying their moral compass.

These backchannel negotiations can go awry for various reasons. Many people involved in ransomware negotiation prefer to share very little about what transpires in these discussions, a decision that ensures the terms of ransomware payments remain largely unscrutinized. 

Yet, many security companies and professionals spoke to CyberScoop about the challenges and benefits of ransomware negotiation after two of their own became turncoats. The former incident responders, Ryan Clifford Goldberg and Kevin Tyler Martin, were moonlighting as ransomware operators and pleaded guilty last month to a series of ransomware attacks in 2023.

“There’s no structured community of practice, no peer review, and no recognized body to certify or hold negotiators accountable,” Jon DiMaggio, principal at XFIL Cyber, told CyberScoop. “It’s one of the few areas of cybersecurity with no real standards, an unregulated tradecraft that still operates like the Wild West.”

This uneven approach manifests across the landscape, particularly among the top incident response firms, which have varying levels of comfort with ransomware negotiations. CrowdStrike and Mandiant draw a firm line, refraining from providing ransomware negotiation services to clients. 

If a client is considering paying a ransomware group, Mandiant will explain the options and let the client decide. The Google-owned company will also share what it knows about the group’s reputation for honoring terms and provide a list of third-party vendors that specialize in ransomware negotiation.

Adam Meyers, head of counter adversary operations at CrowdStrike, is firmly in the don’t-pay-ransoms camp. But he, too, recognizes it’s not always that simple. 

“No good comes from paying them,” but sometimes in extreme cases when the choice is between a business’s downfall or potentially putting the people you serve at risk of significant harm, victims don’t have a choice but to pay the ransom, Meyers said.

Palo Alto Networks Unit 42 takes things to the finish line, but stops before payment. “The boundary for us is we don’t perform ransomware payments. That’s actually an intentional decision on our end to separate those out,” Steve Elovitz, vice president of consulting at Unit 42, told CyberScoop.

“We will perform negotiations when requested by our clients, but we will not perform the payments,” he added. “There’s the complexity side of it, but there’s also just the moral side of it — not wanting to be involved, really, in the transaction itself.”

The red lines in ransomware response — viewing stolen or illegal data on dark web forums, collecting that information, engaging with cybercriminals, negotiating and, ultimately, submitting payment — can push those involved beyond their comfort zones, said Sean Nikkel, lead cyber intelligence analyst at Bitdefender.

Lack of transparency engenders isolation

These self-imposed limits highlight how secretive ransomware negotiations tend to be, which creates a vacuum in which criminals thrive, DiMaggio said. 

“The lack of transparency isolates everyone,” he said. “Victims don’t know what’s normal or fair, law enforcement is often left guessing, and the criminals use that silence to control the narrative and drive up their prices.”

Nikkel asserts some secrecy is necessary, yet ransomware negotiators are “operating without a license and it kind of freaks me out a little bit,” he said.

Professional certifications exist for many lines of intelligence work, but there’s nothing for ransomware negotiation, he added.

DiMaggio, who has infiltrated ransomware groups to investigate their operations, dox their leaders and chronicle stories that would otherwise go untold, said victim organizations constantly make the same mistakes because lessons from these attacks are rarely shared. 

“Until the industry finds a responsible way to collect and analyze anonymized negotiation data, we’ll keep fighting each case in the dark,” he said. “Transparency isn’t about shaming victims — it’s about denying criminals the advantage of secrecy.”

Open sharing of ransomware negotiations is a non-starter for many important reasons, experts said. These communications contain privileged information that could tip attackers off to counterstrategies or empower them with information they can use as leverage to further compromise victims. 

“It would be difficult to do that in a way that doesn’t compromise the practice,” said Kurtis Minder, the co-founder and former CEO of GroupSense who published a book in July about his experiences as a ransomware negotiator.

Cynthia Kaiser, who joined Halcyon’s ransomware research center as senior vice president after 20 years with the FBI, shares that view. 

“You don’t want to do anything that re-victimizes the victim,” she said. “If that information goes out, that should be their choice.”

The “darkness” about negotiations doesn’t merit the same emphasis as the need to better understand “how insidious and gross all these ransomware attacks are, and who they’re attacking,” Kaiser added. 

“That’s the only way we can really grapple with the actual extent of the threat, and that’s not happening right now,” she said. “That information doesn’t get out there enough.”

Key negotiation skills and considerations

Minder got pulled into his first ransomware negotiation in 2019 by accident and against his best intentions. “Somewhat reluctantly, I agreed to do more and then it sort of snowballed on us,” he said. “We didn’t really want to do this.”

Since then, Minder has been involved in hundreds of ransomware negotiations for major companies and small businesses who he volunteered to help in his personal time. 

There is no litmus test for what makes a good negotiator, but soft skills and emotional intelligence are critical, he said. 

“Empathy is one of the most important things,” Minder added. “Not sympathy — empathy — being able to effectively put yourself in the bad guys’ shoes is super powerful.”

As ransomware attacks have grown, so too has the mixed motivations of attackers attempting to extort victims for payment. 

Attacker volatility has increased in the past four years and complicated the considerations negotiators must heed in their response, said Lizzie Cookson, senior director of incident response at Coveware by Veeam. 

Some attackers are “eager to get paid, but they’re also in it for the notoriety, for the bragging rights, for the media attention,” said Cookson, who’s worked as ransomware negotiator for more than a decade. “That’s where we start to encounter more concerning behavior — more hostility, threat actors threatening violence, making threats against people’s family members.”

These cases, which occur much more often now, are more likely to result in broken promises — data leaks after a ransom was paid to avoid such an outcome or follow-on extortion demands, she said.

Indeed, cybercriminals consistently pull new threads to amplify the pressure they place on victims. This includes elements of physical extortion wherein ransomware groups call and threaten executives, claiming they know where the executives’ kids go to school, where they live and how they get to work, said Flashpoint CEO Josh Lefkowitz.

These threats put business leaders in precarious, unexpected positions that challenge their preconceived notions about how they’d respond to a cyberattack, Lefkowitz said. 

Ransomware negotiation requires practitioners to navigate between doing what’s necessary and what’s right, DiMaggio said. “The key is to treat every negotiation as a crisis with human consequences, not just a transaction.”

Negotiators reflect on previous cases

Ransomware negotiators tend to run through common checklists based on patterns they’ve experienced, but each incident is unique and requires some level of improvisation. 

Matt Dowling, senior director of digital forensic and incident response at Surefire Cyber, said ransomware operators, on the whole, are more trustworthy now than when he first got involved in negotiations in 2019. The practice, he said, has also improved because threat intelligence is more useful, making negotiations a data- driven effort.

Dowling separates ransomware operators into two groups: named and unnamed. Named groups are more trustworthy because they have a reputation to uphold, while unnamed groups are more likely to re-extort victims and deviate from the standards of ransomware negotiation, such as not providing proof of their claims.

Still, he said, most payments result in positive outcomes for the victims. The lowest payment Dowling has facilitated came in around $6,000, and the largest was about $8 million, he said. 

Some negotiations end abruptly without further incident. These cases typically involve charities or non-profits, according to Minder.

One case he worked on involved a charity that provided free screenings for breast cancer. In that incident, he simply asked the attackers: “Why are you doing this? These people don’t have any extra money.”

The attackers walked away after the organization agreed to pay a $5,000 ransom to cover what the ransomware group claimed amounted to costs it incurred to conduct the attack — a significant discount from their initial demand of $2 million.

When cases involving data extortion come to a close, negotiators will ask for proof the data was deleted, which is impossible to confirm. Some attackers, who are especially proud of their work will provide detailed reports about how they gained access — information that helps the victim and incident responders understand how and what occurred. 

Experts said the number of people involved in ransomware negotiations can be quite large when lawyers, insurance providers and law enforcement is involved. The duration of these back-and-forth compromises can last for a couple hours or up to three months.

Tactics define process for negotiation

Negotiators also employ generally similar strategies to achieve their client’s objectives at the lowest possible payment.

Threat intelligence on ransomware groups can guide negotiators toward a more gentle or aggressive approach, but in all cases “the threat actor, at the outset, has all the leverage,” Dowling said. 

“The leverage that you have is the threat actor wants to get paid. The only way they’re going to get paid is if you come to an agreement,” he added. 

Every ransomware negotiator CyberScoop spoke with remarked on the importance of delay. “Time is always our friend,” Cookson said. “Every day that passes after the initial incident is an opportunity for us to get more visibility so that they can make those decisions with a lot more confidence and make those decisions based on actual data, not based on fear and emotion.”

Initial outreach from negotiators working on behalf of a victim should be short and simple, allowing attackers to do most of the talking up front, Minder said. Negotiators should also avoid discussion of any financial numbers or positional bargaining as long as possible, he said.

Cursing or adopting combative language is a hard no-no for Minder as well. “There are ways to convey disappointment in the messages that aren’t fighting words,” he said. “They’re humans. They have egos, so you have to keep that in mind.”

Delay tactics are designed to get the attackers to question their own demand before the negotiator ever puts a number in writing, Minder said. 

Moreover, it’s not just about the money — ransomware operators are seeking validation, and a sense that they’re in control and winning, he said.

The worst outcomes involve victims that rush to make a payment, assuming that will make all the pain go away, Cookson said. 

Financial incentives present ethical challenges

Ransomware is a thriving criminal enterprise, amounting to a combined $2.1 billion in payments during the three-year period ending in December 2024 and about 3,000 total attacks in 2023 and 2024, according to the Treasury Department’s Financial Crimes Enforcement Network.

Businesses, of course, see opportunity in all of that activity and boutique firms have assembled teams to support victim organizations by engaging in ransomware negotiations on their behalf in the wake of attacks. 

This ancillary industry fosters additional ethical challenges, especially when there’s a built-in financial incentive for ransomware negotiations to occur and, in some cases, result in payments.

A general lack of transparency in billing puts the practices of some of these firms under heavier scrutiny. Some firms charge a flat fee or hourly rate, while others use a contingency model based on the percentage of the ransom reduction they’re able to achieve, DiMaggio said. 

“It’s not the norm across the industry, but it happens, and it introduces a clear conflict of interest,” he added. “When a negotiator’s income depends on the ransom outcome, it blurs the line between representing the victim and profiting from the crime.”

While some ransomware negotiation providers do, indeed, charge a small percentage off the ransom payment, victim organizations should avoid hiring any firm that employs that model, Elovitz said. 

“If you’re making a percentage of the payment, then at least there’s some financial incentive to not negotiate it down as far as you might otherwise,” he added. 

DiMaggio would like to see more clarity around how service providers set prices for ransomware negotiation. Absent that, he said, “the industry will keep living in a moral gray zone, one where good intentions can unintentionally sustain the very ecosystem we’re trying to dismantle.”

Rules of engagement don’t apply

Ransomware negotiation remains an ill-defined, largely unrestricted practice, absent any collective industrywide agreement on rules of engagement.

Any effort to define rules upon which the industry can coalesce could potentially pit competitors against one another, leaving room for those more willing to bend the norms an opportunity to win business by providing less scrupulous services.

Negotiators are effectively unfettered once they ensure they’re not breaking any laws by engaging with or sending money to sanctioned criminals.

Still, there’s an unmet need for checks and balances, oversight, transparency and a standardized set of rules for negotiators to follow without crossing any professional or personal lines. 

Part of the challenge with external oversight lies in the act of negotiation, an art that requires intermediaries to build limited trust with attackers spanning conversations that may not play well in the public sphere, Elovitz said. 

“Putting that under a microscope could inhibit the good guys more than the bad,” he said. Payments themselves, however, could benefit from more scrutiny, Elovitz added. 

Clarity in purpose should prevail above all of these factors. 

Protecting victims without empowering criminals is the first principle of ransomware negotiation, but that balance can’t be managed in the dark, DiMaggio said. 

“I’ve seen firsthand how the lack of oversight allows abuse from both sides of the table,” he said.

To prevent manipulation, DiMaggio called for a standardized framework, vetted negotiators, recorded and auditable communications and anonymized after-action reviews.

“Without accountability, the victims end up paying twice,” he said. “Once to the criminals, and again to the people who claim to save them.”

The scars from years spent as a ransomware negotiator brought Minder back to where his intuition was before he ever got involved. “I don’t believe this should be a business. I say that having been paid to do this,” he said. 

“It’s almost like a parasitic industry,” Minder said. “You’re profiting from victims.”

The post The thin line between saving a company and funding a crime appeared first on CyberScoop.

Former cybersecurity professionals Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty Thursday to participating in a series of ransomware attacks in 2023 while they were employed at cybersecurity companies tasked with helping organizations respond to ransomware attacks.

Goldberg, who was a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint at the time, collaborated with an unnamed co-conspirator to attack victim computers and networks and use ALPHV, also known as BlackCat, ransomware to extort payments.

The plea deals mark a relatively quick turnaround as prosecutors successfully persuaded the pair to cop to their crimes less than three months after they were indicted in the U.S. District Court for the Southern District of Florida. Goldberg was arrested Sept. 22 and Martin was arrested Oct. 14. 

Goldberg and Martin confirmed in their respective plea agreements that the total losses caused by their crimes exceeded $9.5 million, according to federal court records. 

A spokesperson for DigitalMint said the company cooperated with the Justice Department throughout its investigation and supports the outcome as a step toward accountability. 

“We strongly condemn his actions, which were undertaken without the knowledge, permission or involvement of the company,” the spokesperson said in a statement. “His behavior is a clear violation of our values and ethical standards.”

Sygnia did not immediately respond to a request for comment.

Goldberg and Martin each pleaded guilty to one of the three counts brought against them — conspiracy to interfere with interstate commerce by extortion — effectively reducing their maximum penalty from 50 years in federal prison to 20 years. 

Victims impacted by the attacks over a six-month period in 2023 included a medical company based in Florida, a pharmaceutical company based in Maryland, a California doctor’s office, an engineering company based in California and a drone manufacturer in Virginia, according to the indictment.

Prosecutors said Goldberg, Martin and their co-conspirator received a nearly $1.3 million ransom payment from the medical company in May 2023, but did not successfully extort a financial payment from the other victims. 

Goldberg and Martin are each ordered to forfeit $342,000, which represents the value of proceeds traced to their crimes, according to their plea agreements. The court may also fine each of them up to $250,000 and additional restitution.

Officials said they will recommend reduced sentences for Goldberg and Martin as long as they make full, accurate and complete disclosures of their offenses and do not commit any further crimes. 

Goldberg and Martin “abused a position of public or private trust, or used a special skill, in a manner that significantly facilitated the commission or concealment” of their crimes, prosecutors said.

The unnamed co-conspirator, who also worked at DigitalMint, allegedly obtained an affiliate account on ALPHV, which the trio used to commit ransomware attacks.

ALPHV/BlackCat was a notorious ransomware and extortion group linked to a series of attacks on critical infrastructure providers. The ransomware variant first appeared in late 2021, and was later used in dozens of attacks on organizations in the health care sector.

The group behind the ransomware strain also claimed responsibility for last year’s attack on UnitedHealth Group subsidiary Change Healthcare, which paid a $22 million ransom and became the largest health care data breach on record, compromising data on about 190 million people.

The crew is alleged to have stopped operations in March 2024.

The post Former incident responders plead guilty to ransomware attack spree appeared first on CyberScoop.

Federal prosecutors allege that three cybersecurity professionals, whose job was to help companies respond to ransomware attacks, instead carried out their own ransomware schemes against five U.S. businesses in 2023.

Ryan Clifford Goldberg, Kevin Tyler Martin and an unnamed co–conspirator — all U.S. nationals — began using ALPHV, also known as BlackCat, ransomware to attack companies in May 2023, according to indictments and other court documents in the U.S. District Court for the Southern District of Florida. 

At the time of the attacks, Goldberg was a manager of incident response at Sygnia, while Martin, a ransomware negotiator at DigitalMint, allegedly collaborated with Goldberg and another co-conspirator, who also worked at DigitalMint and allegedly obtained an affiliate account on ALPHV. 

The trio are accused of carrying out the conspiracy from May 2023 through April 2025, according to an affidavit. The Chicago Sun-Times was the first to report on the indictment.

Victims impacted by the attacks over a six-month period in 2023 included a medical company based in Florida, a pharmaceutical company based in Maryland, a California doctor’s office, an engineering company based in California and a drone manufacturer in Virginia. 

Goldberg, Martin and their co-conspirator received a nearly $1.3 million ransom payment from the medical company in May 2023, but did not successfully extort a financial payment from the other victims, prosecutors said. 

Sygnia confirmed Goldberg was formerly employed by the company. “Immediately upon learning of the situation, he was terminated,” the company said in a statement. 

Goldberg’s attorney declined to comment.

DigitalMint confirmed in a statement Monday that a former employee was indicted for organizing and participating in ransomware attacks. The company did not say when nor how it became aware of Martin and his co-worker’s alleged criminal activities, and did not describe the circumstances regarding the end of their employment.

“The charged conduct took place outside of DigitalMint’s infrastructure and systems. The co-conspirators did not access or compromise client data as part of the charged conduct,” the company said in a statement. “No one potentially involved in the charged scheme has worked at the company in over four months.”

ALPHV/BlackCat was a notorious ransomware and extortion group linked to a series of attacks on critical infrastructure providers. The ransomware variant first appeared in late 2021, and was later used in dozens of attacks on organizations in the health care sector. 

The group behind the ransomware strain also claimed responsibility for last year’s attack on UnitedHealth Group subsidiary Change Healthcare, which paid a $22 million ransom and became the largest health care data breach on record, compromising data on about 190 million people. 

Goldberg and Martin were both indicted Oct. 2 for conspiring to interfere with commerce by extortion, interference with commerce by extortion, and intentional damage to a protected computer. 

Martin was arrested Oct. 14 and freed on a $400,000 bond Oct. 24. He pleaded not guilty and is prohibited from working in cybersecurity awaiting trial. Martin’s attorney did not immediately respond to a request for comment.

Goldberg was arrested Sept. 22 and ordered to remain in custody pending trial due to flight risk. Goldberg and his wife boarded a one-way flight to Paris from Atlanta on June 27 and remained in Europe until Sept. 21. When Goldberg flew directly from Amsterdam to Mexico City, he was arrested upon landing and deported to the United States.

Court records show Goldberg allegedly confessed he was recruited by the unnamed co-conspirator to “try and ransom some companies” during an interview with the FBI June 17. The FBI seized his devices that day.

According to authorities, Goldberg allegedly admitted that he conducted the attacks to get out of debt. He also allegedly told FBI agents that he and his two accomplices successfully extorted a ransom payment from the medical company, which earned him a $200,000 share.

Martin and Goldberg each face a maximum penalty up to 50 years in federal prison.

You can read the full indictment below.

The post Prosecutors allege incident response pros used ALPHV/BlackCat to commit string of ransomware attacks appeared first on CyberScoop.