30APR

IR staff pleaded guilty to using ALPHV

3 min read

08:16UTC

Ryan Goldberg worked at Sygnia. Kevin Martin negotiated ransoms at DigitalMint. Both admitted to using ALPHV/BlackCat against the organisations they were hired to defend.

← Back to FIRESTARTER puts Cisco below the patch line Jump to analysis ↓

TechnologyAssessed

Key takeaway

Incident-response vendor diligence now has to cover the vendor's own personnel as a threat class.

The US Department of Justice (DOJ) secured guilty pleas from two cybersecurity professionals for using the ALPHV/BlackCat ransomware family against US victims between April and December 2023 ¹. Ryan Goldberg, 40, worked at Israeli incident-response firm Sygnia. Kevin Martin, 36, was a ransomware negotiator at DigitalMint, a firm whose product is helping victims buy their way out of exactly this kind of attack. Both pleaded guilty to conspiracy to obstruct commerce by extortion. Sentencing was scheduled for 12 March 2026. ALPHV/BlackCat is the ransomware-as-a-service family that US Treasury previously sanctioned and that operated the Colonial Pipeline-era model of breach, encrypt and extort.

The surprise was not that external attackers compromised incident-response firms. It was that the incident responders and the negotiator used their own privileged access, including pre-existing victim relationships, to extort the organisations they were paid to help. A ransomware negotiator sits in the middle of a client's worst week: privy to the executive committee's willingness to pay, the internal assessment of what was actually encrypted, and the addresses of the wallets. Those are the data points a ransomware affiliate would otherwise spend weeks collecting.

For buyers of Incident Response (IR) services, the due-diligence conversation has now shifted. "Does this vendor have the technical skills" is no longer the difficult question. The difficult question is whether the vendor has the personnel controls, background checks, privilege segmentation and activity monitoring, to stop its own staff from using their access against the client. That is a different kind of audit than the one cyber insurance underwriters and general counsels have been running to date.

Deep Analysis

In plain English

Ransomware is a type of criminal attack where hackers lock a victim's computer files and demand money to unlock them. When this happens to a company, they often hire specialist firms: incident responders who investigate the attack, and negotiators who bargain with the criminals about the ransom amount. Ryan Goldberg worked at Sygnia, an incident response firm. Kevin Martin worked at DigitalMint, a ransomware negotiation company. Between April and December 2023, the two men conducted ransomware attacks against US businesses using a tool called ALPHV or BlackCat. They then, in some cases, appeared in a professional capacity in the aftermath. Both pleaded guilty in early 2026. The case is significant because the perpetrators were meant to be the defenders, and they used their professional access and knowledge to identify and attack targets.

Deep Analysis

Root Causes

Incident response and ransomware negotiation firms obtain pre-existing relationship access to victim organisations during legitimate engagements: they may have standing access to client networks, knowledge of backup infrastructure locations, and awareness of existing cyber insurance policy limits, all of which are operationally useful for conducting a subsequent ransomware attack.

The ransomware negotiation sector in the US has grown rapidly since 2019 with no regulatory framework. DigitalMint, where Martin worked, is a cryptocurrency payments facilitator that expanded into negotiation; Sygnia, where Goldberg worked, is a well-regarded Israeli IR firm with US operations. Neither firm had mechanisms to detect that their own employees were conducting the ransomware attacks they were subsequently paid to negotiate.

What could happen next?

Risk
Any organisation that engaged incident response or ransomware negotiation services during 2023 should verify whether Goldberg or Martin had any involvement and whether those firms have audited their personnel controls following the convictions.
Precedent
The convictions will drive cyber insurance underwriters to add personnel background-check and conflict-of-interest disclosure requirements to IR vendor panels, paralleling how financial services regulators require fitness-and-propriety checks for authorised persons.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2020 SolarWinds breach, in which the attackers' most actionable intelligence was obtained through FireEye's own IR tools published in the public breach disclosure. The Goldberg and Martin case is a more direct version of the same abuse vector: the incident responders themselves, rather than their tools, were turned against victims.

Counter-parallel: The 2019 Wipro breach, in which an attacker compromised Wipro IT systems and then moved laterally to Wipro's managed security service clients. In that case the threat came from outside the IR vendor; here it came from within. The Wipro case drove security controls on vendor-to-client lateral movement; the Goldberg and Martin case drives controls on the humans who have those access rights.

Consensus view: Coveware's Bill Siegel, who tracks ransomware negotiation practice, assessed after the Goldberg and Martin indictments that the incident represents the most serious integrity failure in the Incident Response industry since its commercial expansion post-2020, because both defendants used pre-existing victim relationships from legitimate professional work to select and execute ransomware targets, making their actions structurally undetectable through normal vendor due diligence.

Counter-view: ENISA's annual threat reports have consistently noted that the ransomware negotiation market is essentially unregulated in the EU and US, with no professional licensing, no background check requirements, and no ongoing financial-interest disclosure obligations; the Goldberg and Martin case is the predictable outcome of a market structure that created the opportunity and provided cover, not an aberration.

Key tension: Whether the appropriate regulatory response is professional licensing of ransomware negotiators and incident responders, or whether licensing creates a regulated oligopoly that raises costs without addressing the insider-threat problem, which licensing does not inherently solve.

Sources:US Department of Justice

Mentions:Ryan Goldberg →Kevin Martin →Sygnia →DigitalMint →ALPHV →Wipro →Prima →ENISA →Israel →US Treasury →ALPHV/BlackCat →SolarWinds →Incident Response →Department of Justice →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

US Department of Justice· 17 Apr 2026

Read original →

Causes and effects

This Event

IR staff pleaded guilty to using ALPHV

The due-diligence question on incident-response vendors shifts from technical capability to personnel controls.

Led to

Scattered Spider's Bouquet arrested in Helsinki

Stokes arrest extends the cybercrime-accountability pattern established by OFAC PAIPA Operation Zero sanctions in ID:2552.

Occurred 28 Apr 2026

Read story →

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.