Former Cybersecurity Pros Sentenced for Feeding Ransomware Gangs Client Insurance Limits

TL;DR A federal judge sentenced Ryan Goldberg, Kevin Martin, and Angelo Martino to four years each for conspiring with the Alphv (BlackCat) ransomware gang, using insider knowledge of clients’ insurance limits to drive ransom payments past $75 million.

Context The trio worked at incident‑response firm Sygnia and negotiation firm DigitalMint before turning to crime. Starting in 2023 they became Alphv affiliates, agreeing to give the ransomware administrators 20 % of any proceeds in exchange for malware access and the extortion platform. Goldberg handled initial network intrusion, Martin stole data and triggered encryption, while Martino managed negotiations and laundered funds.

Key Facts - Goldberg and Martin pleaded guilty in December 2023 to federal extortion conspiracy; Martino entered his guilty plea on April 20, 2024. - Martino, while still employed by DigitalMint, secretly told Alphv affiliates that victims’ insurers were only approving small amounts, urging them to hold out for higher payouts. In one case he messaged, “the [insurance] carrier is only approving small amounts — keep denying our offers and i will let you know once i find out the max the[y] want to pay.” - Five DigitalMint clients paid a combined $75.25 million in ransoms after Martino leaked their negotiating positions. The largest single payment was $25.66 million from a U.S. financial services firm; a hospitality company paid $16.48 million, a nonprofit $26.79 million, a retailer $6.1 million, and a medical firm $213,000. - Authorities seized roughly $10 million in assets from Martino, including cryptocurrency, real estate, vehicles, a food truck and a fishing boat. DigitalMint terminated him the day after learning of the investigation and condemned his actions.

What It Means The case shows how trusted third‑party vendors can become insider threats when they have access to sensitive details like cyber‑insurance limits. Banks and other organizations that hire incident‑response or ransomware‑negotiation firms should treat those relationships as privileged access points.

Mitigations - Enforce multi‑factor authentication and least‑privilege accounts for all vendor connections; monitor for anomalous use of valid credentials (MITRE ATT&CK T1078). - Deploy network segmentation to limit lateral movement from compromised vendor systems (T1021). - Maintain offline, immutable backups and test restoration regularly to reduce reliance on ransom payments (T1486). - Use endpoint detection and response (EDR) tools with behavioral analytics to spot unusual data exfiltration or encryption processes. - Conduct regular third‑party risk assessments, including contract clauses that prohibit sharing of insurance policy details and require immediate breach notification.

Watch for regulators to issue clearer guidance on insider‑threat programs for cyber‑service providers and for courts to consider stricter sentencing when professionals abuse their trusted roles.