Ransomware Negotiator, Pay Thyself!

A ransomware negotiator and an incident response manager at two separate cybersecurity firms have been indicted for allegedly carrying out ransomware attacks of their own against multiple US companies.

Ryan Clifford Goldberg of Watkinsville, Georgia, Kevin Tyler Martin of Roanoke, Texas, and a third unnamed co-conspirator who lives in Land O’Lakes, Florida, allegedly broke into corporate networks, stole sensitive data, deployed ALPHV/BlackCat ransomware, and demanded tens of millions of dollars in extortion payments, according to an October 2 indictment [PDF].

ALPHV/BlackCat is the notorious ransomware-as-a-service operation that pulled an exit scam shortly after the Change Healthcare attack.

According to court documents, the alleged perps delivered ransomware to a medical device company based in Tampa, Florida, a Maryland pharmaceutical firm, a California doctor’s office, an engineering company based in California, and a Virginia drone manufacturer. The attacks took place between May and November 2023.

Martin worked as a ransomware negotiator for Illinois-based incident response firm DigitalMint, and Goldberg worked as an incident response manager for global cybersecurity firm Sygnia Cybersecurity Services. The unnamed co-conspirator may have also been employed at DigitalMint, the company told The Register.

“As expected, the indictment does not allege that the company had any knowledge of or involvement in the criminal activity,” DigitalMint co-founder and CEO Jonathan Solomon said in an email to The Register. “DigitalMint has been and continues to be a cooperating witness in the investigation and not an investigative target.”

The alleged criminal activity happened “outside of DigitalMint’s infrastructure and systems,” Solomon added. “The co-conspirators did not access or compromise client data as part of the charged conduct … No one potentially involved in the charged scheme has worked at the company in over four months.”

“We can confirm that Mr. Goldberg was an employee at Sygnia. Immediately upon learning of the situation, he was terminated,” a Sygnia spokesperson told The Register. “While Sygnia is not a target of this investigation, we are continuing to work closely with the Federal Bureau of Investigation.”

While the indictment doesn’t detail how the infosec experts allegedly gained access to victims’ computers, it says that the first network intrusion occurred around May 13, 2023.

The three suspects used ALPHV/BlackCat malware to encrypt the Florida medical device firm’s servers and demanded a $10 million ransom payment, according to the court documents.

“The attack caused Victim Company 1 to fear financial loss from the theft and encryption of their data. Victim Company 1 paid RYAN CLIFFORD GOLDBERG, KEVIN TYLER MARTIN, and Co-Conspirator 1 a ransom in virtual currency worth approximately $1,274,000 at the time of payment,” the indictment states.

While the alleged criminals carried out the other four attacks in similar fashion, the other victims don’t appear to have paid a ransom. ®

Original Source