• Home
  • About
  • Locations
logologologologo
  • Plan
    • vCISO
    • Policies & Procedures
    • Strategy & Security Program Creation
    • Risk Management
  • Attack
    • Penetration Testing
    • PTaaS
    • Red Teaming
    • Web Application Penetration Testing
    • Mobile Application Penetration Testing
    • IOT Penetration Testing
  • Defend
    • Office 365 Security
    • HIPAA Compliance
    • PCI Compliance
    • Code Reviews
    • Blockchain Security Analysis
    • Vulnerability Assessments
  • Recover
    • Ransomware Recovery
    • Expert Witness
    • Forensics
  • Learn
    • Resources
    • Penetration Testing Training
    • Blog
  • Contact Us
  • Instant Quote
✕

Two Americans Sentenced for BlackCat Ransomware Attacks

May 2, 2026

Introduction

This case is not just about ransomware.

It is about:

  • Ransomware-as-a-service
  • Domestic attackers
  • And insider betrayal inside the response process itself

Two Americans used BlackCat (ALPHV) ransomware to attack U.S. organizations and extort millions.

But one of their co-conspirators did something worse.

He used his legitimate job inside incident response to feed victim intelligence back to the attackers

This is not just an attack.

This is the collapse of trust inside the defense layer

What Happened

Ryan Goldberg and Kevin Martin were sentenced to four years in prison for ransomware attacks carried out in 2023.

They:

  • Used BlackCat ransomware
  • Attacked multiple U.S. victims
  • Successfully extorted large payments, including $1.2 million in Bitcoin
  • Operated as affiliates in a ransomware-as-a-service model
  • Shared 20% of ransom payments with BlackCat operators
  • Laundered the proceeds

They worked with Angelo Martino, who has pleaded guilty and is awaiting sentencing.

But Martino’s role goes far beyond standard ransomware activity.

The Critical Detail Most People Miss

Martino was not just part of the attack chain.

He had legitimate access to victims through his job.

He worked in a negotiation / incident response role, meaning:

  • He had access to victim communications
  • He understood internal response strategies
  • He could see how much organizations were willing or able to pay

And he abused that access.

What Martino Actually Did

Martino leaked confidential client information to BlackCat operators.

This included:

  • Negotiation positions
  • Internal response strategies
  • Cyber insurance coverage limits
  • Payment willingness indicators

This allowed attackers to demand the exact amount victims could pay

This was not speculation.

This was insider-fed intelligence used to increase ransom payouts.

Important Clarification

These insider leaks were:

  • Separate from the five known ransomware attacks tied to Goldberg and Martin
  • Part of additional incidents where Martino used his position to benefit attackers

This means the damage extended beyond the attacks that led to sentencing

What This Changes About the Threat

This case is not just:

  • External attackers breaching systems

It is:

Attackers + insider access + trusted roles being weaponized

This creates a much more dangerous model:

  • Attackers do not just break in
  • They get help from inside the response process

How the BlackCat Attack Model Works

This case still follows the standard ransomware-as-a-service model, but with an added insider advantage.

1. Access to the Platform

Attackers join BlackCat as affiliates.

They receive:

  • Malware builders
  • Infrastructure
  • Encryption tools
  • Negotiation portals

No need to build anything themselves

2. Initial Access to Victims

Entry is gained through:

  • Stolen credentials
  • Weak remote access systems
  • Poor identity controls

This is still the most common failure point.

3. Internal Control

Attackers:

  • Escalate privileges
  • Move laterally
  • Identify critical systems

They prepare the environment for maximum damage.

4. Data Theft

Before encryption:

  • Sensitive data is exfiltrated

This enables double extortion.

5. Ransomware Deployment

Systems are:

  • Encrypted
  • Disrupted

Operations stop.

6. Negotiation Phase

This is where the case becomes unique.

Normally:

  • Attackers guess how much to demand

In this case:

They were told exactly what to demand

Because of Martino.

7. Payment Optimization

With insider data, attackers could:

  • Adjust ransom demands precisely
  • Apply pressure at the right level
  • Avoid underpricing or overpricing

This maximizes profit efficiency

8. Profit Distribution

  • ~80% to attackers
  • ~20% to BlackCat operators

This is structured, predictable, and repeatable.

Why This Case Is More Dangerous Than It Looks

There are multiple layers of risk here.

1. Ransomware Is Now a Business Model

Anyone can:

  • Join a platform
  • Launch attacks
  • Get paid

Skill barrier is lower than ever

2. Insider Threat Is Real and Active

Martino proves:

  • Trusted roles can be exploited
  • Security vendors are not immune
  • Sensitive client data can be weaponized

Trust is now part of the attack surface

3. Negotiation Is a Vulnerability

Most organizations assume:

  • Negotiation is a controlled process

This case shows:

It can be compromised from inside

4. Attackers Are Becoming More Precise

With insider intelligence, attackers can:

  • Target exact payment thresholds
  • Apply psychological pressure
  • Increase success rates

This is no longer guesswork.

Real Impact on Victims

Victims did not just lose access to systems.

They faced:

  • Financial loss
  • Operational shutdown
  • Data exposure
  • Strategic disadvantage during negotiation

And in at least one case:

Sensitive patient data was leaked

The Hiring Problem No One Talks About

This case highlights a critical failure:

Organizations trust people too easily in high-risk roles

Martino had:

  • Access to sensitive client data
  • Visibility into incident response
  • Influence over negotiation outcomes

And he abused it.

What This Means

You must treat hiring as a security control, not an HR function.

What Organizations Must Do Now

1. Hire Reputable People and Verify Them

Do not assume trust.

You need:

  • Background checks
  • Role-based vetting
  • Continuous monitoring for high-risk roles

Especially for:

  • Incident response teams
  • Negotiators
  • Third-party vendors

2. Limit Access to Sensitive Negotiation Data

Not everyone needs:

  • Insurance details
  • Payment thresholds
  • Internal strategy

Apply least privilege even during incidents.

3. Separate Roles in Incident Response

Do not allow one individual to:

  • Access sensitive data
  • Lead negotiation
  • Communicate externally

 Separation reduces abuse risk

4. Monitor Insider Activity

Watch for:

  • Data access outside role scope
  • Unusual communication patterns
  • Information sharing anomalies

5. Treat Third Parties as High Risk

Even trusted vendors can:

  • Be compromised
  • Act maliciously

Apply:

  • Access controls
  • Logging
  • Oversight

6. Strengthen Core Security Controls

Still critical:

  • MFA everywhere
  • Privilege control
  • Lateral movement detection
  • Backup protection

Because the attack still starts with access.

Detection Reality

You are not just looking for attackers anymore.

You are also looking for insider misuse

This includes:

  • Data leaks
  • Abnormal access patterns
  • Information being used against you

Key Takeaway

Two Americans used BlackCat ransomware to attack U.S. organizations and extort millions.

But the real story is deeper.

A trusted insider leaked confidential victim data to the attackers, helping them maximize ransom payments.

This changes everything.

Ransomware is no longer just:

  • External intrusion
  • Malware execution

It is now:

Access + intelligence + insider abuse

If you do not secure all three, you are exposed.

Contact Us Now to Prepare
for Digital Warfare


      • info@digitalwarfare.com

      • +1 757-900-9968

Share
Copyright © Digital Warfare. All rights reserved.
  • Home
  • About
  • Locations