Ryan Goldberg, a former incident response manager at Sygnia, and Kevin Martin, a former ransomware negotiator at DigitalMint, were each sentenced to four years in federal prison on April 30, 2026, for deploying BlackCat (ALPHV) ransomware against multiple U.S. victims between April and December 2023. A third co-conspirator, Angelo John Martino III — also a former DigitalMint employee — is scheduled for sentencing on July 9, 2026.
BlackCat Ransomware Sentencing: What We Know So Far
Goldberg (40, Georgia) and Martin (36, Texas) pleaded guilty to conspiracy to obstruct commerce by extortion — a federal charge carrying up to 20 years. Prosecutors documented that the trio operated as paid BlackCat/ALPHV affiliates, breaching victim networks and passing a 20% cut of ransom proceeds back to the ransomware operation’s administrators in exchange for access to its encryption platform and extortion infrastructure.
The attacks ran from April 2023 through December 2023. Victims spanned multiple sectors across the United States; the DOJ press release does not name specific targets.
The core contradiction that makes this case significant: Goldberg was simultaneously employed as an incident response manager at Sygnia — a firm hired by ransomware victims to remediate attacks. Martin worked at DigitalMint, a firm that helps organizations negotiate ransom payments. Both held positions of direct trust with organizations at their most vulnerable moment.
Neither Sygnia nor DigitalMint has been accused of wrongdoing. DigitalMint stated it had no knowledge of Martino’s or Martin’s criminal activity prior to being contacted by the DOJ.
Martino is the third defendant in the original November 2025 indictment. His sentencing on July 9, 2026, will close out the case. The DOJ press release is available at justice.gov.
Why BlackCat Ransomware Sentencing Matters
This case is a direct challenge to the trust model that ransomware incident response depends on. When an organization suffers an attack, it typically brings in external IR firms to investigate, contain, and negotiate. The implicit assumption is that those firms act adversarially toward the threat actor — not in coordination with them.
The BlackCat affiliate model made that assumption exploitable. ALPHV’s ransomware-as-a-service (RaaS) platform allowed external affiliates to deploy the payload and keep 80% of ransoms while the core group handled infrastructure, negotiations tooling, and leak-site operations. Any individual with affiliate access and a target in their own professional network could weaponize a client relationship.
The structural risk this exposes:
- Ransomware IR firms frequently obtain elevated access — domain admin, backup system credentials, forensic copies of data — during engagements. A compromised employee holds extraordinary leverage.
- Negotiation firms see ransom amounts, victim communication channels, and deadline pressure in real time. That information has direct value to a threat actor trying to maximize extortion.
- The 20% affiliate split is a low bar. A single mid-size healthcare or financial services victim paying a $2M ransom generates $400,000 per affiliate after the platform cut.
ALPHV/BlackCat was shut down in a joint law enforcement operation in December 2023. Its final act was an exit scam that stole a $22M ransom payment from an affiliate involved in the Change Healthcare attack. Despite the platform’s closure, its affiliates — including those now sentenced — continued to face prosecution under U.S. law.
BlackCat Ransomware Sentencing: What You Should Do Now
If your organization uses external IR firms or ransomware negotiators, this case surfaces concrete due diligence gaps worth addressing:
-
Vet your IR vendors’ access controls. Confirm that any firm you engage has documented procedures preventing individual employees from exfiltrating credentials or data obtained during your engagement. Request SOC 2 Type II reports or equivalent.
-
Scope engagements with least-privilege access. IR firms should receive only the access necessary for the specific engagement phase. Do not grant standing domain admin; use time-bounded accounts with MFA and log all actions to a system the IR firm cannot access.
-
Audit negotiation channel communications. If you use a third-party negotiation service, retain copies of all communications independently. Ransom negotiations should never be fully delegated to an opaque third party.
-
Run background checks on IR personnel with elevated access. This case involved employees of established firms — not freelancers. Require named-personnel disclosures and confirm that primary contacts on your engagement are the individuals with system access.
-
Review your cyber insurance policy for IR firm liability. Some policies explicitly require insurers to approve negotiation firms. Verify whether your insurer has current vetting requirements for the firms you plan to use.
Detection and Verification Checklist
The attack vector in this case is insider abuse of trusted access, not a technical vulnerability. Post-engagement verification steps:
- After any IR engagement, rotate all credentials the firm accessed: domain admin accounts, backup credentials, cloud service accounts, and VPN certificates.
- Pull and review authentication logs for the accounts provisioned to the IR firm covering the full engagement window. Look for off-hours access, lateral movement to systems outside the declared scope, or large data transfers.
- If you paid a ransom through a negotiation firm, request a transaction-level breakdown showing wallet addresses and payment routing. Cross-reference with known sanctioned addresses using OFAC’s SDN list.
- Confirm that any data the IR firm copied for forensic purposes has been destroyed or returned per your engagement contract.
- Subscribe to DOJ cybercrime press releases and CISA KEV updates. If a firm you have used appears in either, treat it as a potential indicator of compromise until verified.
Sources: BleepingComputer, CyberScoop, DOJ Press Release, DataBreaches.net
For any query contact us at contact@cipherssecurity.com
