14JUN

IR staff pleaded guilty to using ALPHV

3 min read

11:51UTC

Ryan Goldberg worked at Sygnia. Kevin Martin negotiated ransoms at DigitalMint. Both admitted to using ALPHV/BlackCat against the organisations they were hired to defend.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyAssessed

Key takeaway

Incident-response vendor diligence now has to cover the vendor's own personnel as a threat class.

The US Department of Justice (DOJ) secured guilty pleas from two cybersecurity professionals for using the ALPHV/BlackCat ransomware family against US victims between April and December 2023 ¹. Ryan Goldberg, 40, worked at Israeli incident-response firm Sygnia. Kevin Martin, 36, was a ransomware negotiator at DigitalMint, a firm whose product is helping victims buy their way out of exactly this kind of attack. Both pleaded guilty to conspiracy to obstruct commerce by extortion. Sentencing was scheduled for 12 March 2026. ALPHV/BlackCat is the ransomware-as-a-service family that US Treasury previously sanctioned and that operated the Colonial Pipeline-era model of breach, encrypt and extort.

The surprise was not that external attackers compromised incident-response firms. It was that the incident responders and the negotiator used their own privileged access, including pre-existing victim relationships, to extort the organisations they were paid to help. A ransomware negotiator sits in the middle of a client's worst week: privy to the executive committee's willingness to pay, the internal assessment of what was actually encrypted, and the addresses of the wallets. Those are the data points a ransomware affiliate would otherwise spend weeks collecting.

For buyers of Incident Response (IR) services, the due-diligence conversation has now shifted. "Does this vendor have the technical skills" is no longer the difficult question. The difficult question is whether the vendor has the personnel controls, background checks, privilege segmentation and activity monitoring, to stop its own staff from using their access against the client. That is a different kind of audit than the one cyber insurance underwriters and general counsels have been running to date.

Deep Analysis

In plain English

Ransomware is a type of criminal attack where hackers lock a victim's computer files and demand money to unlock them. When this happens to a company, they often hire specialist firms: incident responders who investigate the attack, and negotiators who bargain with the criminals about the ransom amount. Ryan Goldberg worked at Sygnia, an incident response firm. Kevin Martin worked at DigitalMint, a ransomware negotiation company. Between April and December 2023, the two men conducted ransomware attacks against US businesses using a tool called ALPHV or BlackCat. They then, in some cases, appeared in a professional capacity in the aftermath. Both pleaded guilty in early 2026. The case is significant because the perpetrators were meant to be the defenders, and they used their professional access and knowledge to identify and attack targets.

Deep Analysis

Root Causes

Incident response and ransomware negotiation firms obtain pre-existing relationship access to victim organisations during legitimate engagements: they may have standing access to client networks, knowledge of backup infrastructure locations, and awareness of existing cyber insurance policy limits, all of which are operationally useful for conducting a subsequent ransomware attack.

The ransomware negotiation sector in the US has grown rapidly since 2019 with no regulatory framework. DigitalMint, where Martin worked, is a cryptocurrency payments facilitator that expanded into negotiation; Sygnia, where Goldberg worked, is a well-regarded Israeli IR firm with US operations. Neither firm had mechanisms to detect that their own employees were conducting the ransomware attacks they were subsequently paid to negotiate.

What could happen next?

Risk
Any organisation that engaged incident response or ransomware negotiation services during 2023 should verify whether Goldberg or Martin had any involvement and whether those firms have audited their personnel controls following the convictions.
Precedent
The convictions will drive cyber insurance underwriters to add personnel background-check and conflict-of-interest disclosure requirements to IR vendor panels, paralleling how financial services regulators require fitness-and-propriety checks for authorised persons.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2020 SolarWinds breach, in which the attackers' most actionable intelligence was obtained through FireEye's own IR tools published in the public breach disclosure. The Goldberg and Martin case is a more direct version of the same abuse vector: the incident responders themselves, rather than their tools, were turned against victims.

Counter-parallel: The 2019 Wipro breach, in which an attacker compromised Wipro IT systems and then moved laterally to Wipro's managed security service clients. In that case the threat came from outside the IR vendor; here it came from within. The Wipro case drove security controls on vendor-to-client lateral movement; the Goldberg and Martin case drives controls on the humans who have those access rights.

Consensus view: Coveware's Bill Siegel, who tracks ransomware negotiation practice, assessed after the Goldberg and Martin indictments that the incident represents the most serious Integrity failure in the Incident Response industry since its commercial expansion post-2020, because both defendants used pre-existing victim relationships from legitimate professional work to select and execute ransomware targets, making their actions structurally undetectable through normal vendor due diligence.

Counter-view: ENISA's annual threat reports have consistently noted that the ransomware negotiation market is essentially unregulated in the EU and US, with no professional licensing, no background check requirements, and no ongoing financial-interest disclosure obligations; the Goldberg and Martin case is the predictable outcome of a market structure that created the opportunity and provided cover, not an aberration.

Key tension: Whether the appropriate regulatory response is professional licensing of ransomware negotiators and incident responders, or whether licensing creates a regulated oligopoly that raises costs without addressing the insider-threat problem, which licensing does not inherently solve.

Sources:US Department of Justice

Mentions:Ryan Goldberg →Kevin Martin →Sygnia →DigitalMint →ALPHV →Wipro →Prima →ENISA →Israel →US Treasury →ALPHV/BlackCat →SolarWinds →Incident Response →Department of Justice →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

US Department of Justice· 17 Apr 2026

Read original →

Causes and effects

This Event

IR staff pleaded guilty to using ALPHV

The due-diligence question on incident-response vendors shifts from technical capability to personnel controls.

Led to

Scattered Spider's Bouquet arrested in Helsinki

Stokes arrest extends the cybercrime-accountability pattern established by OFAC PAIPA Operation Zero sanctions in ID:2552.

Occurred 28 Apr 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.