Security Professionals Plead Guilty in ALPHV Ransomware Case

Two U.S.-based cybersecurity professionals have pleaded guilty after admitting they used their technical expertise to carry out ransomware attacks instead of defending against them. 

The case underscores a troubling insider threat scenario, where trusted security knowledge was weaponized to extort victims as part of the notorious ALPHV/BlackCat ransomware operation.

“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division.

How the Ransomware Scheme Worked

According to the U.S. Department of Justice, Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, pleaded guilty to conspiracy to commit extortion for their roles as ransomware affiliates. 

Court documents show that the defendants used their cybersecurity expertise to identify and exploit weaknesses in victim environments. 

After gaining access, they deployed ALPHV BlackCat ransomware and participated directly in extortion negotiations. In one confirmed incident, the group successfully extorted approximately $1.2 million in Bitcoin from a victim.

After the ransom was paid, the conspirators split their 80% share and laundered the proceeds through various channels to conceal their origins. 

The structured revenue-sharing model mirrors how modern RaaS operations scale rapidly by recruiting technically capable affiliates rather than conducting all attacks themselves.

ALPHV BlackCat has been one of the most active ransomware groups globally, targeting more than 1,000 organizations across multiple industries. 

Its operations have caused widespread financial damage and operational disruption, making it a priority target for U.S. law enforcement.

Law Enforcement Strikes Back at BlackCat

In December 2023, the FBI delivered a blow to ALPHV BlackCat by developing and releasing a free decryption tool. 

The tool enabled hundreds of victims to recover encrypted systems without paying ransoms, saving an estimated $99 million. 

Authorities also seized several websites associated with the group’s infrastructure, disrupting ongoing operations.

The investigation into Goldberg and Martin was led by the FBI’s Miami Field Office, with assistance from the U.S. Secret Service.

Both defendants face up to 20 years in prison and are scheduled for sentencing in March 2026.

How to Reduce Insider-Assisted Ransomware Risk

The following measures outline practical steps organizations can take to reduce insider-assisted ransomware risk by strengthening access governance, oversight, and response readiness.

• Enforce least-privilege and just-in-time access for security personnel, supported by regular access reviews and segregation of duties.
• Monitor privileged activity and user behavior using logging and behavioral analytics to detect anomalous or high-risk actions.
• Require multi-party approval for sensitive operations such as disabling security controls, accessing backups, or deploying high-risk tools.
• Conduct thorough background checks, ethics training, and provide clear, protected channels for reporting suspicious or unethical behavior.
• Incorporate insider-assisted ransomware scenarios into incident response plans and test them through regular simulations and tabletop exercises.

Together, these controls help limit insider abuse, reduce the impact of privileged access misuse, and contain the blast radius of insider-assisted ransomware incidents. 

Rather than relying solely on external access or opportunistic attacks, ransomware groups are actively recruiting insiders with legitimate technical expertise to accelerate intrusions, bypass defenses, and increase the success of extortion efforts.  

As insider involvement becomes a deliberate tactic in ransomware campaigns, IT leaders must rethink how they identify, manage, and mitigate insider threats across their organizations.