
ALPHV
Russian-affiliated ransomware-as-a-service group; two IR professionals pleaded guilty in 2026 to using ALPHV to extort US victims.
Last refreshed: 17 April 2026 · Appears in 1 active topic
How did cybersecurity professionals use ALPHV ransomware against the victims they were hired to help?
Timeline for ALPHV
Mentioned in: Crews now cross-claim each rival victim
Cybersecurity: Threats and DefencesMentioned in: Three supply-chain hits in thirteen days
Cybersecurity: Threats and DefencesIR staff pleaded guilty to using ALPHV
Cybersecurity: Threats and DefencesWhat is ALPHV BlackCat ransomware?
How did cybersecurity staff use ALPHV against their own clients?
Is ALPHV BlackCat still active?
Background
ALPHV, also known as BlackCat, was a ransomware-as-a-service (RaaS) operation active from November 2021 until its disruption by the FBI and DOJ in December 2023. The group operated a Rust-based ransomware encryptor and a leak site, and ran an affiliate programme that allowed external operators to deploy the malware for a revenue share. At its peak ALPHV was one of the most active RaaS platforms globally, responsible for attacks on healthcare, critical infrastructure and energy targets including the February 2024 Change Healthcare compromise.
In a development disclosed in early 2026, Ryan Goldberg, a 40-year-old Incident Response professional at Sygnia, and Kevin Martin, a 36-year-old ransomware negotiator at DigitalMint, pleaded guilty to conspiracy to obstruct commerce by extortion for using the ALPHV/BlackCat ransomware family against US victims between April and December 2023. Sentencing was scheduled for 12 March 2026. The case is exceptional because both defendants held professional positions in the Incident Response and negotiation ecosystem, using their privileged insider access to victim relationships to extort the organisations they were engaged to help.
ALPHV's disruption by the FBI in December 2023 was followed by the group attempting to Conduct an exit scam against its own affiliates before shutting down. The ALPHV branding was subsequently used by some affiliates who migrated to other RaaS platforms. The Goldberg-Martin prosecution demonstrates that the RaaS ecosystem's most severe risk for buyers of IR services may come from within the Incident Response supply chain rather than from external actors.