
ALPHV/BlackCat
Ransomware-as-a-service group shut down by law enforcement in December 2023; IR professionals Ryan Goldberg and Kevin Martin pleaded guilty to using it against US victims.
Last refreshed: 17 April 2026
How did incident-response professionals end up using ransomware against their own clients?
Timeline for ALPHV/BlackCat
Mentioned in: Crews now cross-claim each rival victim
Cybersecurity: Threats and DefencesMentioned in: IR staff pleaded guilty to using ALPHV
Cybersecurity: Threats and DefencesWhat is ALPHV BlackCat ransomware?
How were IR professionals using ransomware against clients?
Background
ALPHV/BlackCat was a ransomware-as-a-service (RaaS) operation shut down by the FBI and international partners in December 2023. Its criminal legacy resurfaced in a DOJ prosecution in which Ryan Goldberg, an incident-response professional at Sygnia, and Kevin Martin, a ransomware negotiator at DigitalMint, pleaded guilty to conspiracy to obstruct commerce by extortion for using ALPHV/BlackCat against US victims between April and December 2023. Sentencing was scheduled for 12 March 2026.
ALPHV/BlackCat was notable in the ransomware ecosystem for several reasons: it was written in Rust, making cross-platform deployment to Windows, Linux and ESXi possible without recompilation; it operated a sophisticated leak site with victim-pressure capabilities; and it was the ransomware family used in the 2023 Change Healthcare attack that disrupted US healthcare billing infrastructure for months. OFAC sanctioned the group's operator networks alongside the FBI's December 2023 disruption action.
The Goldberg and Martin case introduced a new attack surface into the IR industry: insider abuse of pre-existing victim relationships by personnel with privileged access. For buyers of IR and ransomware negotiation services, the case extends due diligence requirements beyond technical competence to personnel-control verification at firms with access to victim environments.