Breach of Trust: Former Employees of Cybersecurity Companies Indicted for Links to ALPHV BlackCat Ransomware
Published
- Insider allegations: Three American cybersecurity professionals face a federal indictment for allegedly operating a ransomware scheme.
- Gang collaboration: Prosecutors allege the individuals collaborated with the notorious ALPHV BlackCat ransomware gang to extort U.S. companies.
- Identified suspects: Two of the accused have been named; both worked for incident response firms.
U.S. prosecutors have indicted three American cybersecurity professionals, alleging they secretly orchestrated a ransomware operation targeting companies across the United States. According to an indictment, the individuals are accused of collaborating with the prolific ALPHV (BlackCat) hacking syndicate.
The news raises serious questions about insider threats within the cybersecurity industry, where professionals are entrusted with protecting corporate networks.
Details of the Alleged ALPHV BlackCat Operation
The indictment filed in a Miami federal court alleges that the three individuals used their expertise to aid the ALPHV BlackCat operation in encrypting corporate networks and extorting their owners for cryptocurrency payments.
Two of the accused, Ryan Clifford Goldberg and Kevin Tyler Martin, have been named, the Chicago Sun-Times first reported on Sunday.
At the time of the alleged crimes, Martin was an employee at DigitalMint, a firm specializing in ransomware incident response, while Goldberg was an incident response manager at another cybersecurity company, Sygnia.
The indictment did not name the victim companies but indicated they were located in California, Florida, Virginia, and Maryland. The court document says that among the victims are a university and a corporation in Florida “that were both engaged in interstate commerce,” as well as medical facilities, school districts, law firms, and financial firms.
Employer Responses to Cybercrime Allegations
Following the ransomware indictment, both DigitalMint and Sygnia have taken action. Sygnia confirmed that Goldberg was terminated "immediately upon learning of the situation." DigitalMint stated that a former employee was indicted for activities "completely outside the scope of his employment" and noted it is cooperating with the investigation, according to Reuters.
The firm also suggested the third, unnamed co-conspirator may have also been an employee. These cybercrime allegations against trusted security professionals underscore a complex and troubling dimension of the fight against ransomware.
In June 2024, the ALPHV group claimed responsibility for the Change Healthcare ransomware attack, and shortly after, the actor reportedly staged an exit scam. A new ransomware group, RansomHub, then listed the alleged hack – a ransomware-as-a-service (RaaS) payload that overlaps with ALPHV (BlackCat), Knight Ransomware, DragonForce, and Play Ransomware operations.
The ALPHV gang targeted prominent healthcare solutions provider and Fortune 500 company Henry Schein, and RansomHub continued with U.S. oilfield giant Halliburton and the Patelco Credit Union breach.
More recently, DragonForce Ransomware claimed expansion amid an alleged RansomHub takeover.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular