OrganisationRU

ALPHV

Russian-affiliated ransomware-as-a-service group; two IR professionals pleaded guilty in 2026 to using ALPHV to extort US victims.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

How did cybersecurity professionals use ALPHV ransomware against the victims they were hired to help?

Timeline for ALPHV

#117 Apr

IR staff pleaded guilty to using ALPHV

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is ALPHV BlackCat ransomware?: ALPHV/BlackCat was a ransomware-as-a-service operation active from November 2021 to December 2023. It used a Rust-based encryptor and an affiliate programme, and was disrupted by the FBI in December 2023.Source: FBI / DOJ
How did cybersecurity staff use ALPHV against their own clients?: Ryan Goldberg (Sygnia IR) and Kevin Martin (DigitalMint, ransomware negotiator) pleaded guilty in 2026 to using ALPHV against US victims between April and December 2023, exploiting their insider access to victim relationships established through professional engagements.Source: DOJ plea documents 2026
Is ALPHV BlackCat still active?: ALPHV itself shut down following the FBI disruption in December 2023 and an exit scam against affiliates. Former ALPHV affiliates migrated to other RaaS platforms. The BlackCat branding has not been used for confirmed new operations since early 2024.Source: FBI / DOJ

Background

ALPHV, also known as BlackCat, was a ransomware-as-a-service (RaaS) operation active from November 2021 until its disruption by the FBI and DOJ in December 2023. The group operated a Rust-based ransomware encryptor and a leak site, and ran an affiliate programme that allowed external operators to deploy the malware for a revenue share. At its peak ALPHV was one of the most active RaaS platforms globally, responsible for attacks on healthcare, critical infrastructure and energy targets including the February 2024 Change Healthcare compromise.

In a development disclosed in early 2026, Ryan Goldberg, a 40-year-old Incident Response professional at Sygnia, and Kevin Martin, a 36-year-old ransomware negotiator at DigitalMint, pleaded guilty to conspiracy to obstruct commerce by extortion for using the ALPHV/BlackCat ransomware family against US victims between April and December 2023. Sentencing was scheduled for 12 March 2026. The case is exceptional because both defendants held professional positions in the Incident Response and negotiation ecosystem, using their privileged insider access to victim relationships to extort the organisations they were engaged to help.

ALPHV's disruption by the FBI in December 2023 was followed by the group attempting to conduct an exit scam against its own affiliates before shutting down. The ALPHV branding was subsequently used by some affiliates who migrated to other RaaS platforms. The Goldberg-Martin prosecution demonstrates that the RaaS ecosystem's most severe risk for buyers of IR services may come from within the Incident Response supply chain rather than from external actors.

How the World Sees Them

IR industry

Professional associations have flagged the case as a due-diligence concern. Buyers of IR services are reconsidering personnel-vetting requirements for incident responders and negotiators.

United States

DOJ and FBI led the December 2023 disruption operation. The Goldberg-Martin case represents a rare insider prosecution within the IR supply chain.

Ransomware ecosystem

ALPHV's disruption fragmented its affiliate base. The Exit scam against affiliates accelerated migration to LockBit, DragonForce and newer RaaS platforms.