ConceptRU

ALPHV/BlackCat

Ransomware-as-a-service group shut down by law enforcement in December 2023; IR professionals Ryan Goldberg and Kevin Martin pleaded guilty to using it against US victims.

Last refreshed: 17 April 2026

Key Question

How did incident-response professionals end up using ransomware against their own clients?

Timeline for ALPHV/BlackCat

#117 Apr

Mentioned in: IR staff pleaded guilty to using ALPHV

Cybersecurity: Threats and Defences

View full timeline →

Common Questions

What is ALPHV BlackCat ransomware?: ALPHV/BlackCat was a Rust-based ransomware-as-a-service operation shut down by the FBI in December 2023. It was used in the 2023 Change Healthcare attack and, in a 2026 DOJ case, was the tool used by two incident-response professionals to extort US victims.Source: FBI / DOJ
How were IR professionals using ransomware against clients?: Ryan Goldberg of Sygnia and Kevin Martin of DigitalMint used ALPHV/BlackCat against US victims between April and December 2023 by leveraging their privileged access as incident responders and ransomware negotiators. Both pleaded guilty to conspiracy to obstruct commerce by extortion.Source: DOJ

Background

ALPHV/BlackCat was a ransomware-as-a-service (RaaS) operation shut down by the FBI and international partners in December 2023. Its criminal legacy resurfaced in a DOJ prosecution in which Ryan Goldberg, an incident-response professional at Sygnia, and Kevin Martin, a ransomware negotiator at DigitalMint, pleaded guilty to conspiracy to obstruct commerce by extortion for using ALPHV/BlackCat against US victims between April and December 2023. Sentencing was scheduled for 12 March 2026.

ALPHV/BlackCat was notable in the ransomware ecosystem for several reasons: it was written in Rust, making cross-platform deployment to Windows, Linux and ESXi possible without recompilation; it operated a sophisticated leak site with victim-pressure capabilities; and it was the ransomware family used in the 2023 Change Healthcare attack that disrupted US healthcare billing infrastructure for months. OFAC sanctioned the group's operator networks alongside the FBI's December 2023 disruption action.

The Goldberg and Martin case introduced a new attack surface into the IR industry: insider abuse of pre-existing victim relationships by personnel with privileged access. For buyers of IR and ransomware negotiation services, the case extends due diligence requirements beyond technical competence to personnel-control verification at firms with access to victim environments.

How the World Sees Them

US DOJ

The Goldberg-Martin case signals that DOJ will pursue IR and negotiation professionals who abuse their access, not only external ransomware operators.

Ransomware IR buyers

Due diligence on IR firms must now include personnel controls and access-audit verification, not only technical capability assessment.

Ransomware ecosystem

ALPHV's shutdown in December 2023 produced the expected ecosystem churn; former affiliates are assessed to have migrated to LockBit5, DragonForce and other active RaaS programmes.