Cyber responders charged in alleged BlackCat ransomware scheme

Federal prosecutors say three cybersecurity pros—people who spend their days helping companies bounce back from ransomware attacks—were actually running their own extortion scheme on the side, using the ALPHV/BlackCat ransomware platform.

According to an indictment filed in the U.S. District Court for the Southern District of Florida, the accused, identified as Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed co-conspirator, carried out a series of attacks beginning in May 2023 and continuing through April 2025. Goldberg was then an incident response manager at the firm Sygnia, while Martin and the other conspirator were affiliated with the ransomware negotiating firm DigitalMint.

Prosecutors say the group attacked at least five U.S.-based organizations in 2023. Their targets reportedly included a medical device company in Florida, a pharmaceutical firm in Maryland, a doctor’s office in California, a California-based engineering company, and a drone manufacturer in Virginia. Only the medical device company appears to have paid a ransom of $1.27 million.

In the aftermath of the indictment, both firms confirmed that the employees involved have been terminated. As first reported by CNN, Sygnia said it terminated Goldberg’s employment immediately upon learning of the situation while DigitalMint said the conduct took place outside its infrastructure and systems.

BlackCat and the risk from RaaS

The alleged scheme was carried out using ALPHV/BlackCat, one of the most active and sophisticated ransomware families, first observed in November 2021. It’s the same ransomware responsible for the Change Healthcare cyberattack as well as numerous high-profile intrusions globally across manufacturing, technology, and critical infrastructure. 

BlackCat uses a ransomware as a service (RaaS) model that allows affiliates to rent the malware, run attacks, and take a share of the ransom while the core group maintains the platform. This structure has lowered the barrier for entities conducting destructive cyberattacks while complicating attribution and defense. Its tools are written in Rust, enabling speed and cross platform capability, and it supports affiliates through leak sites, encryption payloads, and extortion infrastructure.

BlackCat attacks frequently rely on credential theft, remote access exploitation, data exfiltration, and double extortion tactics, encrypting systems while threatening to leak stolen data if ransom demands are not met. 

This backdrop helps explain why the alleged betrayal by seasoned incident response professionals is particularly disturbing. Organizations already operating under high threat are placing trust in outside experts to help them recover. If those experts become threat actors, the damage can be far greater in financial, operational, and reputational terms.

Playing defense is harder than ever

For companies that rely on outside incident response firms, the case raises hard questions about vendor management. How thoroughly should companies vet the backgrounds, motivations, and oversight of the teams they call after a breach? Should firms be required to maintain strict separation between roles to minimize risk of abuse?

For regulators and law enforcement, the indictment may increase pressure to scrutinize not only the core ransomware groups and their malware developers but also the surrounding ecosystem of negotiators, consultants, and response firms. There is growing awareness that the risk surface extends beyond external attackers and includes the people entrusted with remediation.

Some in the cybersecurity community say this moment may influence how companies select and monitor their defensive partners. Zero trust may become as much a mandate for outside consultants as it is for internal networks. Firms may adopt stricter background checks, stronger auditing, enforced separation of duties, and periodic reassessments of contractor trustworthiness.

Why is ransomware so hard to stamp out?

The case also highlights the resilience and adaptability of ransomware as a service ecosystem. BlackCat’s model, along with others like it, lowers the threshold for launching a major cyberattack. A professional with legitimate credentials or defensive experience may become an attacker with relative ease, expanding the pool of potential threats. That dynamic complicates traditional defense strategies that focus primarily on external adversaries.

Even as law enforcement efforts have disrupted some ransomware operations, the willingness of insiders to exploit their positions underscores the difficulty of fully eliminating the threat.

As the case moves forward in court, companies and their security teams are likely to reassess how they contract and oversee outside incident response firms. Regulators may consider stronger guidelines around vendor due diligence, auditing, and accountability in breach response.

Longer term, the case could prompt a shift in the cybersecurity industry’s ethical and operational norms, particularly around whether recovery, negotiation, and remediation services should be handled with the same caution that organizations apply to external threat actors.

The incident may also accelerate investment in technology-driven defenses. Researchers have recently proposed tools designed to detect ransomware in real time, isolate malicious payloads, and disrupt encryption processes, such as a system that redirects ransomware toward false encryption data in order to exhaust attacker resources.

For now, the maxim “trust but verify” may take on a more serious meaning for organizations facing ransomware risks. The window for blind trust has effectively closed, especially given the structure of modern ransomware operations.