BlackCat ransomware
Categories

Cybersecurity Experts Indicted for Running BlackCat Ransomware

Three cybersecurity professionals trusted to stop ransomware are now accused of being part of it. Federal prosecutors say the men worked as affiliates of the blackcat ransomware group while employed at legitimate cybersecurity firms. The case exposes a deep insider threat that has shocked the global security community and raised serious questions about trust in the incident response industry.

Table of Contents

The Accused and Their Roles

The defendants are Ryan Clifford Goldberg (Ryan Goldberg), 33, from Watkinsville, Georgia, Kevin Tyler Martin, 28, from Roanoke, Texas, and a third unnamed co-conspirator from Land O’Lakes, Florida. According to court records, the men used their legitimate positions at cybersecurity firms to gain knowledge of ransomware negotiation processes, payment methods, and victim vulnerabilities. This knowledge allegedly allowed them to identify potential targets and execute attacks through the blackcat ransomware network.

ryan goldberg

Goldberg was Director of Incident Response at Sygnia Cybersecurity Services, where he managed corporate breach investigations and client communications. Martin and the unnamed co-conspirator worked for DigitalMint, a Chicago company that helps ransomware victims negotiate and process cryptocurrency payments. Both firms serve global enterprise clients and handle highly sensitive data. Prosecutors say this access gave the men the ability to exploit victims who trusted them to help during ransomware incidents.

Federal Charges and Penalties

The indictment was filed in the Southern District of Florida. The defendants face three major charges: conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce by extortion, and intentional damage to protected computers. Each extortion count carries up to 20 years in prison, while the computer damage charge adds another possible 10 years. Fines can reach $250,000 per count or twice the value of the criminal proceeds, along with full forfeiture of any profits from the attacks.

Investigators allege the group encrypted corporate networks, stole private data, and demanded multimillion dollar payments. They used cryptocurrency mixers to conceal the origins of funds after ransom payments were received. Evidence shows that they acted as registered affiliates within the blackcat ecosystem between 2023 and 2025.

The Alleged Ransomware Attacks

Between May 2023 and April 2025, the group carried out several targeted attacks on American companies in healthcare, engineering, and manufacturing. Each incident followed a familiar pattern involving data theft, encryption, and extortion through dark web negotiation panels controlled by blackcat.

  • Victim 1. Tampa Medical Device Manufacturer (May 2023): Servers were encrypted and the company was told to pay $10 million to restore operations and stop stolen data from leaking. The attack froze production and prevented employees from accessing essential software. The company eventually paid $1.27 million in cryptocurrency, which was divided between the conspirators after paying a percentage to the blackcat administrators.
  • Victim 2. Maryland Pharmaceutical Company (May 2023): Attackers stole research data and threatened to release it publicly. The ransom amount was undisclosed, and it is unknown if the victim paid. This case showed early use of double extortion tactics where attackers both encrypt and threaten to leak data.
  • Victim 3. California Medical Practice (July 2023): Patient records were locked and a $5 million ransom demanded. Healthcare organizations are often the hardest hit by ransomware because of the urgency of restoring access to patient information.
  • Victim 4. California Engineering Firm (October 2023): Goldberg later admitted involvement in this attack during questioning. The firm’s servers were encrypted and a $1 million ransom requested, but the payment failed.
  • Victim 5. Virginia Drone Manufacturer (November 2023): The attackers demanded $300,000. Because the company produced hardware for defense contractors, investigators noted that this breach could have had national security implications.

Inside the BlackCat Operation

blackcat, also known as ALPHV, is one of the most sophisticated ransomware groups in the world. It operates as a ransomware-as-a-service platform where affiliates rent access to its malware in exchange for a percentage of ransom proceeds. Affiliates perform the intrusions and handle victim negotiations through portals hosted on the Tor network.

By mid 2023, blackcat had compromised more than 1,000 organizations and collected around $300 million in ransom payments. It gained a reputation for professionalism, advanced encryption techniques, and aggressive targeting of healthcare and infrastructure systems. The FBI and international law enforcement agencies consider it one of the most organized cybercriminal groups active today.

Investigators say the accused obtained affiliate credentials that allowed them to use blackcat’s private control panel. From there, they could encrypt data, upload stolen files, and communicate with victims through anonymous chat channels. Their experience as professional negotiators allegedly helped them maximize the pressure on victims and adjust demands based on company size and revenue.

How the FBI Caught Them

The investigation began when several ransomware victims reported patterns of attack that closely matched information only known to their incident response providers. The FBI identified overlapping data from DigitalMint and Sygnia clients, which led to the suspects. On June 17, 2025, federal agents interviewed Goldberg. He first denied involvement but later confessed, saying he joined the conspiracy to escape personal debt after being recruited by a DigitalMint colleague.

Goldberg admitted that he, Martin, and their partner successfully ransomed the Tampa medical device manufacturer. He told agents that after receiving payment, they laundered the cryptocurrency through mixers and multiple wallets. Digital forensics teams recovered messages, transaction records, and blackcat configuration files from devices seized during searches. These artifacts linked the defendants directly to the ransomware operations.

Flight to Europe and Arrest

Ten days after his interview, Goldberg purchased one way tickets to Paris for himself and his wife. They departed from Atlanta on June 27, 2025. Investigators believe the trip was an attempt to flee prosecution. He remained in Europe for several months before being detained and extradited to the United States. Goldberg remains in federal custody. Martin was arrested in Texas and released on bond pending trial.

Industry and Company Reactions

DigitalMint and Sygnia both released statements denying any connection to the attacks. DigitalMint said Martin’s actions occurred completely outside of his employment and emphasized that no client data was compromised. Sygnia confirmed that Goldberg was immediately terminated and that the company continues to cooperate with federal investigators.

The incident has severely damaged public trust in ransomware recovery firms. These companies manage negotiations with cybercriminals and handle large cryptocurrency transfers, often under intense pressure. Experts now warn that without oversight or licensing, individuals with insider access can exploit clients rather than protect them.

Wider Impact and Lessons for Cybersecurity

The case highlights the growing threat of insider abuse within cybersecurity firms. Individuals trained to defend against ransomware possess the same skills needed to carry out attacks, and their positions give them unmatched access to sensitive information. The charges against Goldberg and Martin reveal how the line between defender and attacker can blur when money and opportunity collide.

Analysts expect that this case will lead to tighter hiring standards, background checks, and monitoring for anyone working in ransomware recovery. Some experts have called for licensing requirements for negotiators and mandatory reporting of ransom payments. Regulators may also consider audits for firms that handle cryptocurrency transactions on behalf of clients.

Despite global crackdowns on major ransomware operations, including blackcat and LockBit, attacks continue to rise. The events described in this indictment are a warning that even within the cybersecurity community, corruption can undermine defense efforts. When those tasked with protecting victims become the attackers themselves, the damage to public trust is almost impossible to repair.

Ryan Clifford Goldberg remains in federal custody while awaiting trial. Kevin Tyler Martin has pleaded not guilty. The unnamed Florida co-conspirator has not been publicly charged. The case, listed under number 25-CR-20443-MOORE/D’ANGELO in the Southern District of Florida, is expected to set a precedent for how insider threats within cybersecurity firms are prosecuted in the future.

For continued coverage of malware threats and ransomware investigations, visit Botcrawl for verified cybersecurity reporting and analysis.

Written by

Sean Doyle

Sean is a tech author and security researcher with more than 20 years of experience in cybersecurity, privacy, malware analysis, analytics, and online marketing. He focuses on clear reporting, deep technical investigation, and practical guidance that helps readers stay safe in a fast-moving digital landscape. His work continues to appear in respected publications, including articles written for Private Internet Access. Through Botcrawl and his ongoing cybersecurity coverage, Sean provides trusted insights on data breaches, malware threats, and online safety for individuals and businesses worldwide.

More Reading

Post navigation

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.