Two American cybersecurity professionals, Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were sentenced to four years each in federal prison for operating as ALPHV/BlackCat ransomware-as-a-service affiliates. Confirmed by the U.S. Department of Justice, the pair leveraged their defensive security expertise to compromise multiple victims, including a doctor's office, and leaked patient data when ransom payment stalled. They extorted approximately $1.2 million in Bitcoin from a single victim and split an 80% affiliate share of proceeds.
What Happened
Between April and December 2023, Goldberg and Martin operated as affiliates inside the BlackCat RaaS ecosystem, using insider knowledge of network defense to select targets, deploy ransomware payloads, and manage extortion negotiations. Both men pleaded guilty in December 2025 to conspiracy to obstruct commerce by extortion. A third co-defendant, Angelo Martino, pleaded guilty in April 2026 and is scheduled for sentencing on July 9, 2026. Goldberg attempted to evade capture by fleeing the United States, with the FBI tracking him across ten countries before securing his arrest. The case forms part of a sustained DOJ campaign against the BlackCat syndicate, which targeted more than 1,000 victims globally before the FBI disrupted its core infrastructure in December 2023 and distributed a decryption tool that saved victims an estimated $99 million in ransom payments.
What Was Taken
Stolen data included sensitive patient records from a medical provider that hesitated to pay the ransom demand. When negotiations stalled, Goldberg and Martin published the patient data on BlackCat's leak site to coerce payment, exposing personally identifiable information and protected health information protected under HIPAA. Across other intrusions tied to the pair, financial extortion totaled at least $1.2 million in Bitcoin from a single named victim, with additional laundered proceeds tied to multiple compromises during the 2023 affiliate window.
Why It Matters
The case marks one of the clearest examples to date of insider threat from inside the cybersecurity industry itself. Both defendants held professional roles in defensive security and used that expertise to identify weaknesses, evade detection, and conduct extortion against the very kinds of organizations they were trained to protect. The DOJ noted their professional backgrounds made the attacks particularly severe, and the sentencing arrived the same day as the 8.5-year sentence handed to Karakurt negotiator Deniss Zolotarjovs, signaling a coordinated federal push against ransomware ecosystem insiders. For healthcare organizations, the leaking of patient records demonstrates that BlackCat affiliates continue to follow through on double-extortion threats regardless of victim sensitivity.
The Attack Technique
Goldberg and Martin operated within BlackCat's affiliate model, paying a 20% cut of extorted funds to the platform's administrators in exchange for malware builds, leak-site infrastructure, and negotiation tooling. Their defensive backgrounds allowed them to identify weak network segmentation, misconfigured remote access, and gaps in endpoint detection at target environments before deploying the BlackCat payload. Following encryption, they exfiltrated sensitive data and used it as leverage during negotiation, escalating to public data leaks when victims resisted payment. Proceeds were laundered through Bitcoin transfers, splitting the affiliate share between the two operators.
What Organizations Should Do
- Enforce strict least-privilege controls and continuous monitoring on staff with privileged or red-team-level access, including contractors and consultants from outside cybersecurity firms.
- Implement immutable, segmented backups and routinely test restoration to neutralize the leverage of encryption-based extortion.
- Deploy endpoint detection and response (EDR) tuned to detect BlackCat/ALPHV indicators, including known living-off-the-land binaries and shadow copy deletion behavior.
- Conduct background screening and ongoing trust verification for personnel with administrative access to client environments, particularly in MSSP and incident response roles.
- Develop a tested ransomware response playbook covering legal, regulatory (HIPAA breach notification), and law enforcement coordination before an incident occurs.
- Engage the FBI early; the BlackCat takedown demonstrated that federal coordination can recover keys, seize wallets, and reduce ransom payouts across the victim community.
Sources: Two cybersecurity professionals sentenced for BlackCat ransomware attacks