Former incident responders sentenced to 4 years in prison for committing ransomware attacks

Two former cybersecurity professionals who moonlighted as cybercriminals, committing a series of ransomware attacks in 2023, were each sentenced to four years in prison, the Justice Department said Thursday.
Ryan Clifford Goldberg and Kevin Tyler Martin previously pleaded guilty to one of three charges brought against them in December and faced up to 20 years behind bars.
Goldberg, who was a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint at the time, collaborated with Angelo John Martino III to attack victim computers and networks and use ALPHV, also known as BlackCat, ransomware to extort payments.
“These defendants exploited specialized cybersecurity knowledge not to protect victims, but to extort them,” Jason A. Reding Quiñones, U.S. attorney for the Southern District of Florida, said in a statement. “They used ransomware to lock down critical systems, steal sensitive data, and pressure American businesses into paying to regain access to their own information.”
Victims impacted by the attacks Goldberg and Martin participated in over a six-month period in 2023 included a medical company based in Florida, a pharmaceutical company based in Maryland, a California doctor’s office, an engineering company based in California and a drone manufacturer in Virginia.
“They harmed important firms who were providing medical and engineering services. They played hardball with them, going so far as to cause the leak of patient data from a doctor’s office victim,” A. Tysen Duva, assistant attorney general of the Justice Department’s criminal division, said in a statement.
“These were supposed to be cybersecurity specialists who did good and helped businesses and people. Instead, they used their high-level cyber skills to feed their greed. Ransomware attackers like this should be punished and removed from society to serve their lawful sentences so they cannot harm others,” Duva added.
Goldberg and Martin received identical sentences for their crimes, despite significant differences surrounding their initial arrests. Martin was arrested without incident in October and freed on bond later that month.
Goldberg fled the country in June, 10 days after he was interviewed by the FBI. He was arrested Sept. 22 and ordered to remain in custody pending trial due to flight risk.
Goldberg and his wife boarded a one-way flight to Paris from Atlanta on June 27 and remained in Europe until Sept. 21. When Goldberg flew directly from Amsterdam to Mexico City, he was arrested upon landing and deported to the United States.
“When Goldberg sought to flee abroad and escape prosecution, the FBI tracked him through 10 countries, demonstrating the lengths we will go to hold cyber criminals accountable and protect victims,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement.
The cases against Golberg, Martin and their co-conspirator Martino showcase an extreme, albeit rare, example of the dark underbelly of ransomware negotiation as a practice. The pitfalls of ransomware negotiation are excessive and these backchannel negotiations, which remain largely unscrutinized, can go awry for various reasons.
Goldberg, 40, and Martin, 36, extorted a $1.3 million ransom payment from the medical company with Martino in May 2023, but did not receive ransom payments from their other victims.
Martino’s ransomware scheme went much further and caused significantly more damage, helping accomplices extort a combined $75.3 million in ransom payments. Five of Martino’s victims hired DigitalMint, which assigned the 41-year-old to conduct ransomware negotiations on their clients’ behalf — a rare position he exploited to play both sides.
He pleaded guilty earlier this month to sharing confidential information about victim organizations’ internal negotiating positions and insurance policy limits he gained from his work as a ransomware negotiator to extract the maximum ransom payment for himself and other BlackCat affiliates.
The five U.S.-based victims that hired DigitalMint and unwittingly tapped Martino to allegedly conduct ransomware negotiations with himself and his co-conspirators include a nonprofit and companies in the hospitality, financial services, retail and medical industries. All five of those victims paid a ransom.
Martino surrendered in March to the U.S. Marshals in Miami and was released on a $500,000 bond. He faces up to 20 years in federal prison and is scheduled for sentencing July 9.
Sygnia and DigitalMint are not accused of any knowledge or involvement in the crimes, and both previously said they fired their former employees once federal authorities alerted the companies to their alleged crimes.
ALPHV/BlackCat was a notorious ransomware and extortion group linked to a series of attacks on critical infrastructure providers. The ransomware variant first appeared in late 2021, and was later used in dozens of attacks on organizations in the health care sector.
The group behind the ransomware strain also claimed responsibility for the February 2024 attack on UnitedHealth Group subsidiary Change Healthcare, which paid a $22 million ransom and became the largest health care data breach on record, compromising data on about 190 million people.

Facts Only

Ryan Clifford Goldberg and Kevin Tyler Martin were sentenced to four years in prison for ransomware attacks in 2023.
Goldberg was a manager of incident response at Sygnia; Martin was a ransomware negotiator at DigitalMint.
They collaborated with Angelo John Martino III to deploy ALPHV/BlackCat ransomware.
Victims included a Florida medical company, a Maryland pharmaceutical company, a California doctor’s office, a California engineering company, and a Virginia drone manufacturer.
Goldberg fled the U.S. in June 2023, was arrested in Mexico in September, and deported.
Martin was arrested in October 2023 and released on bond.
Goldberg and Martin extorted $1.3 million from one victim but received no payments from others.
Martino pleaded guilty to extracting $75.3 million in ransoms by exploiting his role as a negotiator.
Martino was released on a $500,000 bond and faces up to 20 years in prison; sentencing is scheduled for July 9.
Sygnia and DigitalMint fired the defendants upon learning of the allegations and were not accused of involvement.
ALPHV/BlackCat was used in the February 2024 attack on Change Healthcare, resulting in a $22 million ransom and a breach affecting 190 million people.

Executive Summary

Two former cybersecurity professionals, Ryan Clifford Goldberg and Kevin Tyler Martin, were sentenced to four years in prison for their involvement in ransomware attacks using the ALPHV/BlackCat strain in 2023. Goldberg, a manager at Sygnia, and Martin, a ransomware negotiator at DigitalMint, collaborated with Angelo John Martino III to extort victims, including medical and engineering firms. Their crimes exploited their specialized knowledge to lock systems, steal data, and pressure businesses into paying ransoms. Goldberg fled the U.S. after an FBI interview but was later arrested in Mexico and deported, while Martin surrendered and was released on bond. Martino, who played both sides as a negotiator and attacker, pleaded guilty to extracting $75.3 million in ransoms from victims, including those he was supposed to help. The cases highlight the rare but severe risks of insider threats in cybersecurity, where trusted professionals abuse their access for personal gain. The ALPHV/BlackCat group, linked to these attacks, has been responsible for high-profile breaches, including the $22 million ransom paid by UnitedHealth Group’s Change Healthcare in 2024.

Full Take

This case exposes a troubling paradox in cybersecurity: professionals tasked with protecting systems can become the most effective threats. The strongest version of this narrative underscores the betrayal of trust—Goldberg and Martin weaponized their expertise to extort victims, while Martino exploited his dual role as negotiator and attacker, a conflict of interest with devastating consequences. The pattern here aligns with **ARC-0012 Insider Threat Exploitation**, where privileged access is abused for personal gain, and **ARC-0035 False Duality**, as Martino’s role as both helper and harmer created a systemic vulnerability.
The root cause lies in the unregulated nature of ransomware negotiation, a practice that assumes good faith but lacks oversight. The assumption that cybersecurity professionals are inherently ethical is challenged here, raising questions about industry safeguards. Who benefits? The attackers, certainly, but also the broader ransomware ecosystem, which thrives on fear and secrecy. The costs are borne by victims—businesses, patients, and critical infrastructure—whose data and operations are held hostage.
Bridge questions: How can the cybersecurity industry prevent such insider threats without stifling innovation? What structural changes could make ransomware negotiation more transparent? Would stricter licensing or auditing of negotiators reduce conflicts of interest?
Counterstrike scan: If this were an influence campaign, the playbook might amplify fear of cybersecurity professionals to erode trust in the industry. However, the content focuses on accountability and systemic flaws rather than sensationalism, suggesting no alignment with a coordinated attack.

Sentinel — Human

Confidence

This text exhibits strong human journalistic features, evidenced by specific sourcing and varied narrative pacing, indicating it is likely grounded in real-world reporting.

Signals Detected

Sentence length variance is natural, and the use of direct, quoted statements by legal/FBI officials introduces human voice and rhythm.

The text successfully integrates multiple, disparate quotes and factual data points without exhibiting the smooth, passive balance characteristic of purely synthetic summaries.

The flow shifts naturally from specific criminal sentencing to the mechanism of the crime (negotiation) to the broader context (BlackCat group), suggesting a structured narrative developed by a human reporter.

Specific details regarding flight paths, arrests, and the complex interplay of multiple actors (Goldberg, Martin, Martino) suggest detailed journalistic sourcing rather than general LLM confabulation.

Human Indicators

The integration of specific, detailed quotes from multiple government agencies (Justice Department, FBI) suggests a human journalistic sourcing process.

The narrative structure, which shifts between individual case facts and large-scale threat analysis, displays the nuanced emphasis typical of investigative reporting.