US prosecutors have indicted three cyber security professionals who are alleged to have extorted multiple organisations using the ALPHV/BlackCat ransomware locker in their spare time.
Between them, the three racked up five known victims, a doctor’s office and an engineering company based in California, a medical device company based in Florida, a pharmaceutical company based in Maryland, and a drone manufacturer based in Virginia.
The filing, made in the US District Court for the Southern District of Florida in October, but first reported a month later by the Chicago Sun Times, names Kevin Tyler Martin and an unnamed individual referred to as Co-Conspirator 1 – both of whom worked as ransomware negotiators for DigitalMint, a Chicago-based incident response firm – and Ryan Clifford Goldberg – an incident response manager for Sygnia Cybersecurity Services.
The three men are accused of hacking into their victims’ networks, stealing data and executing ALPHV/BlackCat. They allegedly demanded ransoms of between $300,000 and $10m, and received at least one cryptocurrency payout worth approximately $1.27m.
According to a September FBI affidavit, their cyber crime spree began in May 2023, when the unnamed conspirator obtained an ALPHV/BlackCat affiliate account which he shared with Goldberg and Martin – who is identified in the affidavit as Co-Conspirator 2. They split the profits they made between themselves after paying the gang its “share”. The money was laundered through a mixing service and multiple crypto wallets.
In the affidavit, originally shared by TechCrunch, the FBI said that when interviewed earlier this year, Goldberg confessed to having been recruited by Co-Conspirator 1, and that he took part because he was trying to clear his debts.
Goldberg and his wife are subsequently thought to have left the US on a one-way flight to France on 27 June.
Computer Weekly understands that both DigitalMint and Sygnia are cooperating fully with the federal investigation.
As previously reported by our sister title, SearchSecurity, Sygnia has worked ALPHV/BlackCat attacks in the past and has in-depth knowledge of the gang, which has been implicated in many high-impact ransomware attacks in recent years – among others, it was used against Las Vegas casinos by Scattered Spider acting as an affiliate, and Change Healthcare.
Insider threat
Jamie Akhtar, CEO and co-founder of CyberSmart, described the incident as one of the most unusual he had ever seen as a security pro, not least because the accused men directed their actions outward and not back at their own employer.
“Insider threats, whether witting or unwitting, are a well-known risk across all sectors,” he said. “However, when a cyber security professional uses the skills they’ve developed in the workplace to target other organisations, it raises an entirely different concern.
“Even within cyber security vendors, not everyone has pure intentions, [and] just because an organisation specialises in defence doesn’t mean it’s immune from becoming a source of risk,” added Akhtar. “Employees in tech and security roles are often highly skilled and trusted with privileged access, a combination that can be dangerous if oversight and support are lacking.
“For organisations, this brings to light the importance of rigorous access controls, regular behavioural and access reviews and a culture that encourages open communication and wellbeing checks,” he said.
“Financial pressure, stress or personal grievances can all push individuals toward actions they might never have considered before. Prevention means not just monitoring systems, but also understanding and supporting the people who use them. Trust is essential, but it must always be verified.”
