BlackCat ransomware – Two former incident-response staff tied to BlackCat (ALPHV) ransomware affiliate activity were sentenced to four years each.
Ransomware negotiations are now landing in courtrooms, and two men tied to BlackCat (ALPHV) attacks have been sentenced to four years in prison each.
Misryoum reports that Ryan Clifford Goldberg. a former incident-response manager at Sygnia. and Kevin Tyler Martin. described as a ransomware negotiator for DigitalMint. each received a four-year sentence after pleading guilty to conspiracy to obstruct commerce by extortion.. A third accomplice, Angelo Martino, also pleaded guilty earlier and was connected to the same affiliate operations.
The cases center on BlackCat affiliate activity targeting U.S.. organizations between May 2023 and November 2023.. The conduct involved breaching victim networks and using the ransomware/extortion operation to pressure companies for payment. with court documents describing a revenue-sharing arrangement tied to ransom proceeds.
While the headline focuses on sentencing. the broader story is about how ransomware crews increasingly rely on specialized roles beyond simply deploying malware.. In this context. “negotiators” and affiliate operators can turn access into leverage. making the extortion workflow as much a business process as an attack chain.
Misryoum notes that the affected victims included companies across multiple industries and states, ranging from a Maryland pharmaceutical firm and a Tampa medical device manufacturer to an engineering company in California, a drone manufacturer in Virginia, and a doctor’s office in California.
For one Tampa-area medical device company. prosecutors described encryption of servers and a $10 million demand in May 2023. followed by a payment that was allegedly laundered and distributed among participants.. Other victims reportedly faced demands spanning a wide range. though the indictment did not spell out whether additional payments were made.
In statements tied to the outcome, U.S.. officials characterized the defendants’ actions as misuse of cybersecurity knowledge for extortion rather than protection.. Meanwhile. Misryoum adds that both individuals were previously associated with incident-response organizations. underscoring the risk that expertise can be turned toward criminal ends.
This matters because affiliate-based ransomware models depend on operational coordination, including negotiation and payment handling.. Even when victims attempt to respond quickly. attackers may still be able to escalate pressure through stolen data and system disruption. turning cybersecurity skills into tools of harm rather than defense.
By the end of 2023. investigators had also tied the broader BlackCat operation to extensive victimization. indicating how disruptive these groups can be over time.. For businesses. the message from Misryoum is clear: prevention. rapid containment. and disciplined incident response are vital. but so are strong controls around ransomware negotiation tactics and payment workflows when an incident occurs.