Insider Threat: Two Former Cybersecurity Pros Plead Guilty to ALPHV/BlackCat Ransomware Scheme

What happened

Two U.S. cybersecurity professionals, Ryan Clifford Goldberg (former incident response manager at Sygnia) and Kevin Tyler Martin (former ransomware negotiator at DigitalMint), have pleaded guilty in federal court to conspiring to carry out ransomware attacks using the ALPHV/BlackCat malware. The Department of Justice says the pair leveraged their technical expertise and trusted roles to extort victims, including securing a roughly $1.2 million ransom from a Florida medical device company, and encrypted networks at multiple U.S. firms to demand cryptocurrency payments. They face up to 20 years in prison at sentencing scheduled for March 2026.

Who is affected

At least five U.S. companies across sectors such as healthcare, pharmaceuticals, engineering, and technology were targeted in 2023, suffering operational disruption, data encryption, and extortion demands. The guilty pleas also spotlight a broader trust issue within the cybersecurity industry when defenders become attackers.

Why CISOs should care

This case is a stark reminder that insider threat isn’t limited to careless employees or external access abuse. It can come from trusted professionals with deep technical knowledge. CISOs must recognize that expertise and privileged access can be weaponized to devastating effect, undermining both incident response and negotiations. The incident also underscores the importance of rigorous personnel vetting, monitoring, and controls for those in sensitive security roles. 

3 Practical Actions for CISOs

1. Strengthen Insider Monitoring: Implement continuous behavioral monitoring and privilege usage analytics to detect anomalous activity by trusted security personnel before it escalates.
2. Enforce Separation of Duties: Limit excessive access and operational overlap between defensive roles (e.g., incident response, negotiation) and critical production systems to reduce opportunities for misuse.
3. Enhance Third-Party Risk Management: Apply stringent security assessments and ongoing oversight for contractors and external consultants, especially those engaged in incident response or threat negotiation, to ensure alignment with organizational policies and ethical standards.