Two former employees of well-known cybersecurity incident response firms have admitted to participating in ransomware attacks against American companies, a case that has drawn attention for the way industry expertise was allegedly turned into a criminal tool.
Federal prosecutors confirmed that the men were affiliated with the BlackCat ransomware operation, also known as ALPHV, and played roles in extortion campaigns that targeted multiple organizations across the United States during 2023.
Guilty Pleas Filed in Federal Court
The defendants, Ryan Clifford Goldberg, 33, of Watkinsville, Georgia, and Kevin Tyler Martin, 28, of Roanoke, Texas, pleaded guilty to conspiracy to obstruct commerce by extortion. The charges were initially filed in November, and sentencing has been scheduled for March 12, 2026.
Goldberg has remained in federal custody since September 2023, according to court records. Both men face a potential maximum sentence of 20 years in prison under federal law.
Prosecutors said the criminal activity occurred between May and November 2023 and involved a third accomplice whose name has not been disclosed publicly. Court filings describe the trio as affiliates operating within BlackCat’s ransomware ecosystem. In complex federal cybercrime cases like these, defendants often require strategic legal representation, and in jurisdictions such as Oklahoma, guidance from a knowledgeable tulsa county criminal attorney can be critical to navigating the charges and procedural challenges involved.
Backgrounds in Incident Response and Negotiation
What sets this case apart, according to authorities, is the defendants’ professional history. Goldberg previously worked as an incident response manager at Sygnia, a cybersecurity firm that assists organizations dealing with major breaches and cyberattacks. Martin was employed by DigitalMint, where he served as a ransomware threat negotiator, a role typically focused on communicating with attackers during extortion incidents to limit damage to victim organizations.
The unnamed third co-conspirator was also described as having worked in ransomware negotiation.
Assistant Attorney General A. Tysen Duva addressed the significance of the case in a statement included in court documents.
“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” Duva said. “Extortion via the internet victimizes innocent citizens every bit as much as taking money directly out of their pockets.”
Role Within the BlackCat Ransomware Operation
According to federal authorities, Goldberg and Martin acted as affiliates of the BlackCat ransomware group, one of the most active and damaging cybercriminal operations in recent years. As affiliates, they allegedly gained access to BlackCat’s ransomware tools, infrastructure, and data-leak platforms.
In return, prosecutors said the defendants agreed to pay roughly 20 percent of any ransom proceeds to the core BlackCat operation.
Once access was obtained, the attackers allegedly infiltrated victim networks, encrypted systems, and issued ransom demands while threatening prolonged downtime and data exposure if payments were not made.
Companies Targeted Across the United States
Court documents outline a list of victims that spanned multiple industries and geographic regions, highlighting the broad reach of the attacks.
The targeted organizations included a pharmaceutical company based in Maryland, an engineering firm in California, a medical device manufacturer in Tampa, Florida, a drone manufacturing company in Virginia, and a doctor’s office in California.
Prosecutors said ransom demands ranged widely, from approximately $300,000 to as much as $10 million, depending on the organization involved and its perceived ability to pay.
Only One Ransom Payment Confirmed
Despite issuing multiple ransom demands, authorities confirmed that only one payment is known to have been made. In May 2023, the Tampa-based medical device manufacturer paid about $1.27 million after its servers were encrypted and a $10 million ransom demand was issued.
The indictment does not state whether any of the other victims paid ransoms, and prosecutors have not publicly detailed the outcomes of other negotiations or recovery efforts.
Growing Concerns About Insider Abuse
The case has renewed scrutiny around the potential for insider abuse within the cybersecurity and ransomware negotiation industries. In July 2023, reports indicated that the U.S. Department of Justice was investigating a former DigitalMint negotiator suspected of working with ransomware groups. Federal agencies declined to comment at the time, and it remains unclear whether that investigation is directly linked to the current case.
Even so, the guilty pleas are likely to raise questions about ethical oversight, background checks, and safeguards within firms that handle sensitive breach response and negotiation work.
Federal Crackdown on BlackCat
The BlackCat ransomware group itself has faced increasing pressure from U.S. law enforcement. In December 2023, the FBI announced that it had successfully breached BlackCat’s servers, allowing investigators to monitor the group’s operations and obtain decryption keys.
As part of that effort, the FBI developed a free decryption tool intended to help victims recover encrypted data without paying ransoms.
Authorities estimate that BlackCat collected at least $300 million in ransom payments from more than 1,000 victims worldwide before September 2023, making it one of the most profitable ransomware operations on record.
In February 2024, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services issued a joint advisory warning that BlackCat affiliates were heavily targeting U.S. healthcare organizations.
The advisory emphasized the real-world risks posed by ransomware attacks on hospitals and medical providers, including delayed care, operational shutdowns, and exposure of sensitive patient data.
The involvement of former cybersecurity professionals in such attacks has intensified concerns about how insider knowledge can worsen the impact of ransomware incidents.
