Three cybersecurity professionals have been accused of moonlighting as ransomware criminals following a hacking spree which yielded nearly $2 million in illicit funds.
Among the alleged criminals were Texas man Kevin Tyler Martin, Georgia man Ryan Clifford Goldberg, and a third Florida-based person who was unnamed in court documents.
While working as a ransomware negotiator for Chicago-based incident response specialist DigitalMint, Martin allegedly conspired to hack five separate businesses in the medical and engineering sectors.
Martin and the unnamed co-conspirator allegedly worked with Goldberg – who supervised incident response at Israel-based cybersecurity consulting firm Sygnia Consulting Ltd – to conduct this string of attacks between May 2023 and November 2023.
Along with other co-conspirators both “known and unknown” to the court, the group allegedly tried to “unlawfully enrich themselves” by accessing victims’ devices without authorisation, stealing their data and, notably, installing a prominent strain of ransomware.
The crew allegedly went on to demand exorbitant cryptocurrency ransoms from their victims, and in one case successfully collected $1.96 million (US$1.27 million) in cryptocurrency from a medical device company in Florida.
Jeremy Kirk, analyst at cyber threat intelligence company Intel 471, told Information Age that given their former jobs, the alleged criminals would “appear to have been intimately familiar with the inner workings of ransomware and extortion”.
“[This is] knowledge a perpetrator would need,” said Kirk.
“However, it’s extremely difficult to engage in cybercrime and leave no digital trail for investigators.”
Information Age understands Goldberg and Martin are facing three charges in total, including conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce by extortion, and intentional damage to protected computers.
Secret BlackCat operatives demanded millions
The trio’s repeated ransomware of choice was allegedly BlackCat, a now defunct strain of ransomware which launched in late 2021.
Otherwise known as ALPHV, the ransomware group behind BlackCat claimed responsibility for attacks against the likes of HWL Ebsworth, Change Healthcare and Barts Health NHS Trust.
The group allegedly used ransomware to extort $1.96 million (US$1.27 million) in cryptocurrency from a medical device company in Florida. Photo: Shutterstock
Like other Ransomware-as-a-Service gangs, cybercriminals who wanted to use BlackCat could become 'affiliates' by deploying the ransomware in exchange for a cut of any illicit profits.
Though BlackCat gradually disbanded after being targeted by a significant law enforcement operation in December 2023, Goldberg, Martin and their co-conspirator allegedly continued their scheme until April 2025.
The highest of their alleged ransomware demands was a ludicrous $15.4 million (US$10 million), which ultimately yielded a payment worth $1.96 million.
“The attack caused [the victim] to fear financial loss from the theft and encryption of their data,” read the indictment.
The trio’s ransom demands appeared to shrink over the following months, ranging from US$5 million to US$300,000, though court documents detailed only one of the five victims paid a ransom.
Kirk told Information Age BlackCat stood out during its tenure as a Ransomware-as-a-Service operation because, unlike most other outfits, it was happy to partner with English speakers.
“Some ransomware groups had specifically said they did not want to work with English speakers,” said Kirk.
“The fact that these three are accused of being ALPHV/BlackCat affiliates would indicate that the ransomware group was likely interested in maximising its profits, and perhaps it was not put off by English speakers wanting to join as affiliates.”
‘We hired them, but didn’t hack with them’
In a statement given to Information Age, DigitalMint acknowledged an indictment which the US Department of Justice obtained against its former employee.
“The former employee, acting completely outside the scope of his employment, purportedly conspired with two individuals, one named and one not named – the last who may have also been a company employee – of using AlphV/Blackcat ransomware to conduct the attacks,” the company said.
“As expected, the indictment does not allege that the company had any knowledge of or involvement in the criminal activity.”
DigitalMint said it continued to be a “cooperating witness” in investigations and was not itself an investigative target, while no client data was compromised by co-conspirators as part of the charged conduct.
Goldberg, meanwhile, had seemingly registered a profile with Sans Institute – a highly trusted cybersecurity training and research organisation launched in 1989.
Ryan Goldberg registered a profile with cybersecurity education company Sans Institute. Source: archive.li capture of a removed Sans Institute page.
At the time of writing, Goldberg’s profile on the platform appears to have been taken down.
A Sygnia spokesperson confirmed Goldberg’s former employment with the company, noting he was fired “immediately upon learning of the situation”.
“While Sygnia is not a target of this investigation, we are continuing to work closely with the Federal Bureau of Investigation,” they said.
'A difficult paradox'
According to a report from cybersecurity company Exabeam, 34 per cent of surveyed Australian cybersecurity professionals viewed malicious insiders as the greatest threat to their organisation.
Furthermore, 62 per cent believed there was an increase in insider threats between mid-2024 and mid-2025, while 84 per cent expected such threats to grow further in 2026.
Kirk said such threats demonstrate “a difficult paradox”: every organisation, whether in Australia or elsewhere, has sensitive data, and certain people have to be trusted to have access to that data.
“Technical controls and monitoring can be used to detect if data is leaving [an organisation], but none of it is foolproof,” said Kirk.
Indeed, Kirk highlighted a recent example where a man who had reportedly once worked at the Australians Signals Directorate sold US trade secrets to a buyer in Russia.
And while Kirk did not consider incident response or ransom negotiation roles to be particularly at risk of insider threats, he said there are “bound to be opportunists” where large sums of money are exchanged.
Martin has reportedly pleaded not guilty while Goldberg has been detained ahead of trial.
The men each face a collective maximum imprisonment term of 50 years.
Addendum added 13/11/2025. Statement from Sans Institute:
"Ryan Goldberg was not and has never been an instructor or fellow with SANS Institute. His name and profile appeared on the SANS website as a potential Summit speaker but he did not participate in any SANS event. Once we became aware of the incorrect listing, it was promptly removed. SANS has no affiliation with him, and this matter is unrelated to our organisation, instructors, or programs."
