Two U.S. Cybersecurity Workers Get Four Years in Prison for BlackCat Ransomware Attacks

Two former cybersecurity professionals have been sentenced to four years in federal prison for helping carry out BlackCat ransomware attacks against U.S. companies in 2023.

Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, pleaded guilty to conspiracy to obstruct commerce by extortion. Prosecutors said they used ALPHV, also known as BlackCat, to attack multiple victims across the United States.

The case stands out because both men worked in cybersecurity. Instead of helping companies recover from ransomware, prosecutors said they used their technical knowledge to lock systems, steal data, and demand cryptocurrency payments.

How the scheme worked

According to the Justice Department, Goldberg and Martin worked with Angelo Martino, 41, of Florida. The three men deployed BlackCat ransomware between April 2023 and December 2023.

They operated as ransomware affiliates. That means they did not create the BlackCat platform themselves, but used it to attack victims and shared part of any ransom payment with the group’s operators.

Prosecutors said the men agreed to pay BlackCat administrators a 20 percent cut of ransom payments. The affiliates kept the remaining 80 percent and split the proceeds among themselves.

At a glance

Detail	Information
Defendants sentenced	Ryan Goldberg and Kevin Martin
Sentence	Four years in prison each
Charge	Conspiracy to obstruct commerce by extortion
Ransomware used	ALPHV, also known as BlackCat
Attack period	April 2023 to December 2023
Known ransom payment	About $1.2 million in Bitcoin from one victim
Co-conspirator	Angelo Martino, who pleaded guilty in April 2026

One victim paid about $1.2 million

The Justice Department said the group successfully extorted one victim for about $1.2 million in Bitcoin. After paying BlackCat administrators their share, the men split the remaining ransom and laundered the funds.

The attacks affected businesses that provided medical and engineering services. Prosecutors also said patient data from a doctor’s office victim was leaked as part of the extortion campaign.

Other victims received ransom demands, but the sentencing announcement focused on the known payment and the wider harm caused by the attacks.

Third conspirator awaits sentencing

Martino pleaded guilty in April 2026 to the same extortion conspiracy charge. His sentencing is scheduled for July 9.

Prosecutors said Martino also abused his role as a ransomware negotiator. He shared confidential victim information with threat actors to increase the value of ransom payments.

That detail makes the case especially damaging for the incident response industry. Companies hire ransomware negotiators and response firms during a crisis, often sharing sensitive details about insurance, business pressure, and negotiation limits.

BlackCat used a ransomware-as-a-service model

BlackCat operated as a ransomware-as-a-service group. Developers maintained the malware and extortion platform, while affiliates chose victims, broke into networks, deployed ransomware, and negotiated payments.

This model allowed criminals with access and skills to join the operation without building their own ransomware platform. After a victim paid, the developers and affiliates shared the ransom.

The Justice Department said BlackCat targeted more than 1,000 victims worldwide. The group became one of the most active ransomware operations before law enforcement disrupted its infrastructure in late 2023.

Law enforcement previously disrupted BlackCat

In December 2023, the Justice Department announced a disruption campaign against BlackCat. The FBI seized several websites used by the group and developed a decryption tool for victims.

The DOJ later said that tool helped save victims about $99 million in potential ransom payments. Earlier federal advisories said BlackCat affiliates had demanded more than $500 million and received nearly $300 million in ransom payments by September 2023.

The sentencing shows that law enforcement is also pursuing affiliates and insiders, not only the operators who maintain ransomware infrastructure.

Why the case matters for businesses

• It shows that ransomware risk can come from trusted professionals, not only unknown overseas hackers.
• It highlights the need to vet incident response firms and negotiators carefully.
• It shows why companies should limit access to breach details to trusted, approved parties.
• It reinforces the value of reporting ransomware attacks to law enforcement quickly.
• It shows how ransomware affiliates can abuse insider knowledge to raise pressure on victims.

What companies should do after a ransomware incident

Businesses should keep strict control over who sees sensitive incident details. That includes cyber insurance limits, internal negotiation strategy, affected systems, backup status, and financial exposure.

Companies should also document every third-party interaction during a ransomware response. Legal counsel, incident responders, negotiators, insurers, and executives should use approved communication channels and maintain clear records.

Ransomware response requires speed, but it also requires trust. This case shows why businesses need strong vendor checks before a crisis, not after attackers already control critical systems.

FAQ