Two Americans Sentenced to Prison for ALPHV BlackCat Ransomware Attacks

What happened

Two American cybersecurity professionals were sentenced to four years each in federal prison on April 30, 2026, for carrying out ransomware attacks against US businesses using the ALPHV BlackCat ransomware. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, pleaded guilty in December 2025 to conspiracy charges related to extortion through ransomware activity. Both held active professional cybersecurity experience and used it to attack the type of organizations they had been trained to protect.

Goldberg and Martin operated as affiliates within the ALPHV BlackCat ransomware-as-a-service model, handling intrusion work and ransomware deployment while the core developers maintained the malware, backend infrastructure, and negotiation portals. Affiliates retained 80% of ransom proceeds, with 20% going to the developers. Along with co-conspirator Angelo Martino, who acted as a ransomware negotiator for victims while secretly passing confidential victim information to the attackers to inflate ransom demands, the three successfully extorted approximately $1.2 million in Bitcoin from a single victim and laundered the proceeds. Martino’s sentencing is scheduled for July 9, 2026.

Court documents confirmed that ALPHV BlackCat targeted more than 1,000 victims worldwide, including medical and engineering businesses across the United States. In one case, patient data from a doctor’s office was leaked after the victim declined to pay. The FBI tracked Goldberg across 10 countries after he attempted to flee abroad to avoid prosecution. The FBI previously disrupted ALPHV BlackCat in December 2023 by developing a decryption tool that saved approximately $99 million in ransom payments and seizing several of the group’s websites.

Who is affected

The confirmed victim pool spans more than 1,000 organizations globally, with US businesses in healthcare and engineering among the documented targets. The insider component involving Martino’s abuse of his ransomware negotiation role affected the specific victims whose confidential negotiation data was passed to attackers, enabling inflated ransom demands against organizations that had already engaged a professional to help them.

Why CISOs should care

The Goldberg, Martin, and Martino case is the clearest public illustration yet of two converging insider threats in ransomware response. The first is the RaaS affiliate model itself, which separates the people building the tools from the people deploying them, making attribution harder and drawing in technically skilled individuals who might not otherwise build malware. The second is the negotiation insider risk documented in the Martino case, where a trusted third-party responder actively worked against his clients’ interests. Both dynamics have direct implications for how security leaders vet and oversee the external parties they bring in during a ransomware incident.

3 practical actions

1. Apply rigorous vetting to ransomware negotiation and incident response firms before engaging them: The Martino case demonstrates that a negotiator with apparent legitimacy can be actively working against your interests. Verify the background and professional affiliations of any external responder brought in during a ransomware incident, and consider engaging multiple independent advisors for high-stakes negotiations rather than delegating full control to a single party.
2. Limit what confidential information external negotiators can access about your insurance coverage and payment limits: Martino’s value to the attackers was the victim’s negotiation position and insurance policy details. Establish information compartmentalization protocols that prevent any single external party from having visibility into both the technical response and the financial negotiation parameters simultaneously.
3. Report ransomware incidents to the FBI regardless of whether you intend to pay: The FBI’s December 2023 decryption tool saved $99 million in ransom payments by disrupting ALPHV BlackCat infrastructure. Organizations that report incidents provide intelligence that supports law enforcement action and may benefit from decryption tools or victim assistance that is not publicly announced. Submit reports to the local FBI field office or ic3.gov.