Ryan Clifford Goldberg, 40, an incident response manager at Sygnia, and Kevin Tyler Martin, 36, a ransomware negotiator at DigitalMint, were each sentenced to four years in federal prison for secretly deploying BlackCat/ALPHV ransomware against victims — including organizations they were hired to defend or negotiate on behalf of — between April and December 2023. Both men received a 20% share of ransom proceeds in exchange for deploying BlackCat’s malware and extortion platform, with ransom demands against their victims ranging from $300,000 to $10 million. One victim, a Tampa medical device manufacturer, paid $1.27 million after an initial $10 million demand. Both pleaded guilty in December 2025.
Goldberg and Martin: Insider Positions Used to Identify, Access, and Extort Victims
Goldberg’s role as an incident response manager at Sygnia gave him privileged access to client environments during active security investigations. Martin’s position as a ransomware negotiator at DigitalMint placed him in direct contact with organizations that had already been hit by ransomware and were seeking professional assistance in managing extortion demands. Both positions provided the access and intelligence necessary to identify vulnerable organizations, gain trusted access, and coordinate BlackCat ransomware deployments that maximized extortion outcomes.
The conspiracy operated between April and December 2023. In exchange for their roles in deploying and facilitating BlackCat/ALPHV ransomware attacks, both men received a 20% cut of the ransom payments generated.
Five Confirmed Victims Across Multiple Industries and States
Court records identified five victims targeted by Goldberg and Martin during the conspiracy period:
- A Maryland pharmaceutical company
- A California engineering firm
- A Tampa, Florida medical device manufacturer
- A Virginia drone manufacturer
- A California doctor’s office
Ransom demands ranged from $300,000 to $10 million across the five victims. The Tampa medical device manufacturer paid $1.27 million following an initial $10 million demand — a negotiated outcome that Martin, as a ransomware negotiation professional, was positioned to facilitate from the extorting side. Both men were charged with conspiracy to obstruct commerce by extortion.
Third Conspirator Angelo Martino Faces Sentencing in July 2026
A third participant in the conspiracy, Angelo Martino, a former DigitalMint negotiator, pleaded guilty in April 2026 to related charges. Martino’s role was to share victim intelligence with ransomware operators in order to escalate ransom demands — leveraging the victim information accessible through DigitalMint’s negotiation workflows to increase leverage against the same organizations DigitalMint was engaged to help. Martino’s sentencing is scheduled for July 9, 2026.
The inclusion of a former negotiator whose specific role was feeding victim intelligence to threat actors extends the conspiracy beyond active malware deployment into a pattern of systematic insider information abuse across the ransomware extortion chain.
Charges: Conspiracy to Obstruct Commerce by Extortion
Both Goldberg and Martin were convicted of conspiracy to obstruct commerce by extortion — a federal charge that encompasses the use of threats, including ransomware data leak threats, to compel payments from victims. Guilty pleas were entered by both defendants in December 2025. The four-year sentences were imposed in May 2026.
Why the Goldberg-Martin Case Represents an Exceptional Threat Category
Ransomware prosecutions typically involve external threat actors who gained access to victim networks through phishing, exposed vulnerabilities, or purchased credentials. The Goldberg-Martin case is categorically different: both defendants held professional roles that gave them trusted access, client intelligence, and organizational context that external attackers cannot easily obtain.
An incident responder working inside a client environment during a security investigation has legitimate access to system inventories, credential stores, network diagrams, and security tooling — access that external attackers spend weeks or months attempting to obtain. A ransomware negotiator interacting with a victim’s decision-makers has real-time intelligence on the organization’s willingness to pay, its financial situation, and its insurance coverage. Both sets of information directly amplify the effectiveness of an extortion campaign.
The case exposes the risk of unvetted insider access in incident response and ransomware negotiation workflows — professional contexts where practitioners routinely access highly sensitive internal information under conditions of urgency and crisis.
