A ransomware negotiator and a security incident response manager have admitted to running ransomware attacks.
Readers may recall the October 2025 indictments of Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed third co-conspirator, who authorities believe ran a ransomware racket.
On Monday, Goldberg and Martin pleaded guilty to one count of conspiracy to obstruct, delay, or affect commerce or the movement of any article or commodity in commerce by extortion.
According to a Justice Department announcement, the two men and their co-conspirator agreed to pay administrators of the ALPHV BlackCat ransomware 20 percent of any ransom payments they secured, in return for use of the crimeware.
The three then used their infosec skills – all are cybersecurity professionals – to plant the ransomware at five targets and once it was running, tried to extort their victims.
The trio’s ransomware rampage ran from May to November 2023 and saw them infect a medical device company, a pharmaceutical firm, a doctor’s office, an engineering company, and a drone manufacturer.
Only one victim – the medical device company – paid up, to the tune of around $1.2 million in bitcoin. The three perps split that payment three ways and tried to launder the proceeds, the DOJ says.
“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks – the very type of crime that they should have been working to stop,” Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division said in a canned statement.
A federal district court will sentence Goldberg and Martin in March and has the option to jail them for 20 years apiece.
ALPHV is notorious for the 2024 attack on Change Healthcare, which left US pharmacy chains CVS and Walgreens struggling to fill prescriptions because they could not contact customers’ insurance companies to process payments. A few weeks after the Change Healthcare incident, blockchain detectives spotted $22 million worth of cryptocurrency reaching the ransomware gang. A couple of days later, the FBI locked ALPHV’s website – for the second time – and the gang dropped out of view.
One interpretation of those events was that ALPHV’s operators retired to enjoy their ill-gotten gains. However, The Register has reported that ransomware gangs sometimes take a break and re-emerge with new tools, tradecraft, and branding. ®
