Ryan Goldberg

Ryan Goldberg, aged 40, worked as an incident-response professional at Sygnia, a cybersecurity firm, when he conspired with Kevin Martin to use the ALPHV/BlackCat ransomware family against US victims between April and December 2023. Both pleaded guilty to conspiracy to obstruct commerce by extortion; sentencing was scheduled for 12 March 2026. The DOJ prosecution established that Goldberg leveraged his privileged position and pre-existing victim-organisation relationships as an IR professional to extort the organisations he was engaged to help.

Sygnia is a Tel Aviv-based cybersecurity firm with a significant Incident Response practice. Goldberg's role gave him privileged access to victim environments, existing trust relationships with client security teams, and knowledge of victim vulnerability and negotiation posture. The DOJ case is the first high-profile prosecution of an IR professional for insider ransomware abuse.

For buyers of IR services, the Goldberg case has redefined due diligence requirements. The question is no longer only whether an IR firm has the technical capability to respond to a breach; it is whether the firm has personnel-control mechanisms to prevent its own staff using their privileged access against clients. Background-check standards, access-logging for incident-response engagements, and contractual personnel-screening obligations are now reasonable due-diligence asks.