When Defenders Become Attackers: Cybersecurity Professionals Charged in $1.3 Million ALPHV Ransomware Scheme

Insider Threat ALPHV / BlackCat Ransomware-as-a-Service

Federal prosecutors have brought an extraordinary case that flips the usual ransomware story on its head: instead of criminal hackers breaking into U.S. businesses, it is trusted cybersecurity professionals who allegedly deployed the ALPHV/BlackCat ransomware and helped extort more than $1.3 million from a Florida medical company.

This case is more than a true-crime headline. It’s a flashing red warning for CISOs and security leaders: people who know your defenses best can also break them most efficiently. Below is an improved, structured analysis of the case, the threat actor (ALPHV), the legal implications, and most importantly, what organizations must do to defend against insider-enabled ransomware.

Secure your business and remote users

Deploy the SecureTrust stack, reduce lateral movement, and monitor every endpoint, fully managed for you.

Book a Meeting Now

1. Case Overview: Defenders Allegedly Turned Attackers

According to indictments filed in the U.S. District Court for the Southern District of Florida, three U.S. nationals — all working in or adjacent to professional cybersecurity roles are accused of conspiring to conduct ALPHV/BlackCat ransomware attacks between May 2023 and April 2025.

1.1 The Key Defendants

  • Ryan Clifford Goldberg – Director of Incident Response at Sygnia Cybersecurity Services. His day job: help victims of ransomware recover. Prosecutors say he used that expertise to help launch it.
  • Kevin Tyler Martin – Ransomware negotiator at DigitalMint, a role that gave him direct exposure to how ransom payments are initiated, negotiated, and settled.
  • Unnamed DigitalMint co-conspirator – Reportedly secured an ALPHV affiliate account, giving the trio technical access to the RaaS platform.

The group allegedly targeted five U.S. organizations, a Florida medical company, a Maryland pharma firm, a California doctor’s office, a California engineering firm, and a Virginia drone manufacturer. Only the medical organization paid, wiring $1.3 million. Goldberg’s cut was reportedly about $200,000.

Why this matters: This is not “rogue IT staff” - it’s incident response and ransomware negotiation talent. That makes this an unusually high-risk insider scenario for the entire industry.

2. What Is ALPHV/BlackCat: and Why Did They Use It?

ALPHV/BlackCat is one of the most capable ransomware-as-a-service (RaaS) operations to emerge since late 2021. It was among the first major families written in Rust, making it fast, flexible, and portable across Windows and Linux environments.

2.1 Triple-Extortion Model

ALPHV became popular with affiliates because it gave them multiple levers to pressure victims:

  • 1) Encryption of local data and servers
  • 2) Data exfiltration and threat to leak on ALPHV’s data site
  • 3) DDoS attacks for victims that refuse to pay

This layered threat model is especially powerful against healthcare and manufacturing sectors that cannot afford extended downtime.

2.2 Track Record of Damage

By late 2023, the FBI assessed that ALPHV/BlackCat had hit more than 1,000 victims and collected close to $300 million in ransom payments. The group was also linked to the Change Healthcare incident, one of the most disruptive attacks in U.S. health history, costing UnitedHealth an estimated $872 million in direct response and recovery.

3. Why This Case Is Different: The Insider Advantage

Most ransomware cases pit outside attackers against defenders. Here, prosecutors say people with inside-the-SOC knowledge crossed the line.

3.1 Insider Capabilities Alleged in This Case

  • Knowledge of IR Playbooks: Goldberg, as an IR lead, would know what logs get pulled first, how fast EDR responds, and which systems are most sensitive.
  • Negotiation Intelligence: Martin’s day job involved seeing what victims are willing to pay and how they make that decision invaluable data for an attacker.
  • Access to RaaS: The unnamed co-conspirator allegedly secured an ALPHV affiliate account, giving them a functioning criminal infrastructure without building malware.
  • Operational Security Awareness: Security professionals know how they themselves get caught that can make detection harder if monitoring is weak.

3.2 Motivation: Financial Pressure

Goldberg reportedly told the FBI he did it “to get out of debt.” That matters. It tells us that financial stress + privileged access + technical confidence is a real risk combination — even in senior roles.

4. Charges, Custody, and Flight Risk

Both named defendants face serious federal counts:

  • Conspiracy to interfere with commerce by extortion
  • Interference with commerce by extortion
  • Intentional damage to a protected computer

Each carries hefty maximums — up to 50 years if convicted on all counts.

4.1 Arrests and Detention

  • Martin was arrested Oct. 14, 2024, released on a $400,000 bond, and barred from working in cybersecurity.
  • Goldberg was arrested Sept. 22, 2024, after allegedly trying to flee via Europe and Mexico. Because of that attempted flight, he remains in custody.
  • The FBI seized devices and reportedly obtained a confession from Goldberg during a June 17, 2024 interview.
DefendantRoleStatus
R.C. GoldbergDirector of Incident ResponseIn custody (flight risk)
K.T. MartinRansomware NegotiatorReleased on $400k bond
Unnamed Co-conspiratorALPHV affiliate accessNot fully unsealed

5. Company Responses: Sygnia and DigitalMint

Sygnia confirmed that Goldberg was employed there and said he was terminated immediately upon learning of the situation. That is a textbook response, but it still raises questions about ongoing high-risk employee monitoring.

DigitalMint confirmed a former employee was indicted and emphasized:

  • The activity occurred outside company systems
  • No client data was accessed
  • Individuals involved had already left the company

However, the timeline of when the company became aware remains unclear — a reminder that communication transparency is part of incident trust-building.

6. What This Means for CISOs: Insider-Facilitated Ransomware Is Now a Real Scenario

This case should be immediately folded into enterprise threat modeling. The traditional “external attacker → phishing → lateral movement → ransomware” chain is no longer the only high-probability path.

6.1 Controls to Reduce Insider Ransomware Risk

  • Rigorous pre-employment vetting for IR, SOC, and payment/crypto-adjacent roles
  • Continuous access review — enforce least privilege and time-bound access for high-risk functions
  • UEBA / behavioral analytics to flag unusual encryption tools, RaaS TTPs, or off-hours access
  • Segregation of duties — the person who negotiates ransoms should not be the person who can deploy incident tooling
  • Financial wellness and ethics programs for cyber staff (yes, this matters here)
Tip: Add “insider-enabled ransomware” to your next tabletop exercise. Force the team to respond when the attacker already knows your IR runbook.

7. Ransomware Defense Best Practices (External + Insider)

These align with CISA’s StopRansomware and the FBI’s ransomware guidance:

7.1 Proactive

  • MFA on all remote, admin, and financial systems
  • Patch management with SLA tiers for internet-facing assets
  • Network and identity segmentation (limit blast radius)
  • 3-2-1 backup strategy with immutable/offline copies
  • Advanced email and file-based threat detection

7.2 Detection & Response

  • EDR/XDR with behavioral ransomware detection
  • SOAR-driven auto-isolation of suspicious endpoints
  • Integrate threat intel on ALPHV/BlackCat and successor brands
  • Run quarterly ransomware tabletop exercises

8. Economic and Industry Impact

Ransomware recovery costs averaged $2.7M in 2024 (rebuild, forensics, legal, downtime). Insider participation makes attacks faster and more targeted, raising potential damages.

Law enforcement - through operations like LockBit disruptions and the earlier ALPHV takedown has had success, but RaaS ecosystems rebrand quickly. That means organizations can’t rely on takedowns alone.

9. Lessons Learned & What to Do Now

  1. Update insider threat models to explicitly include IR, SOC, and crypto-payments staff.
  2. Instrument your environment so encryption tooling, mass file changes, or ALPHV-like behavior triggers immediate alerts.
  3. Review contracts with third-party IR/forensics providers, include ethics, background checks, and notification clauses.
  4. Educate executives that not all ransomware is “Russia over VPN”; sometimes it’s a U.S. citizen with credentials.
  5. Stay aligned to NIST CSF / CIS Controls for defensible posture.

10. more here

11. External Sources

12. FAQs

Was this really an insider ransomware case?

Yes. Prosecutors allege people employed in legitimate cybersecurity/crypto roles used that access and knowledge to run ALPHV attacks. That’s what makes it noteworthy.

Why is ALPHV/BlackCat frequently in federal advisories?

Because it was prolific, technically mature, and used aggressive triple-extortion. Even after FBI disruptions, affiliates tend to migrate to similar RaaS platforms.

Should organizations change their hiring practices?

Not to make them punitive, but high-access cyber roles should include deeper background checks, periodic re-screening, and stronger activity monitoring.

Should victims pay ransoms?

Law enforcement and CISA strongly discourage payment because it funds criminal activity and offers no guarantee of data deletion. Resilience (backups, segmentation) is the preferred path.

Disclaimer: This article is an analysis based on publicly available indictments and U.S. law enforcement reporting. All defendants are presumed innocent until proven guilty in a court of law. This content is for informational and security-awareness purposes only and is not legal advice.