By Rachel Roberts

Three rogue cybersecurity professionals ran a covert ransomware operation aimed at extorting companies across the United States by encrypting their networks, prosecutors said.

They each collaborated with notorious hacking gang ALPHV, also known as Blackcat, in an attempt to extort their owners out of millions of dollars’ worth of cryptocurrency, prosecutors alleged in an indictment filed last month in a federal court in Miami, Florida.

The professionals are all Americans, although only two of them—Ryan Clifford Goldberg, a resident of Watkinsville, Georgia, and Kevin Tyler Martin, of Roanoke, Texas—have been named.

The targeted companies have not been identified by authorities, who described them only as firms in various industries based in California, Florida, Maryland, and Virginia.

Martin has pleaded not guilty while Goldberg has been detained ahead of trial, court records show, with their lawyers declining requests for comment.

The two were identified in online descriptions by course providers, according to Reuters—Goldberg as an incident response manager at cybersecurity firm Sygnia, and Martin as a former employee of DigitalMint, which provides cybercrime and ransomware incident response services.

‘Immediately’ Fired

DigitalMint, based in Chicago, said in a statement that a former employee had been indicted for participating in ransomware operations, adding that he was “acting completely outside the scope of his employment.”

It added that the company had no knowledge of the alleged activity, and said the third unnamed co-conspirator, who court documents say is a resident of Land O’Lakes, Florida, “may have also been a company employee.”

DigitalMint “has been and continues to be a cooperating witness in the investigation and not an investigative target,” the company said.

Multinational Signia said it fired Goldberg “immediately upon learning of the situation,” adding that the company was not the target of the investigation and that it was co-operating with the investigation.

Undated file photo showing a “virus” warning and binary codes on a computer screen. Peter Byrne/PA

Critical Infrastructure Targeted

Ransomware attacks have become increasingly common in recent years and present serious challenges for targeted companies across virtually every industry.

Malicious software, designed to wreak havoc with internal systems, can be unwittingly downloaded by simply opening an email attachment or clicking on a link.

Goldberg, Martin, and the unnamed suspect are accused of demanding $5 million from a California doctor’s office, targeting a pharmaceutical company in Maryland, attempting to extort $1 million from an engineering firm in California, and demanding $300,000 from a Virginia-based drone manufacturer.

The three co-defendants are accused of carrying out the conspiracy between May 2023 and April 2025, with the court document stating that most of the ransomware attacks the defendants are alleged to have committed used a similar structure.

Blackcat’s developers first recruited and vetted an affiliate, who would identify and attack victims using the ransomware, the court filing says.

The hackers then allegedly provided the affiliate with the ransomware through a password-protected “panel” available on the dark web, granting them access to the victim’s network to steal data and encrypt data, before leaving a ransom note.

Miniatures of people with computers in front of binary codes and words “Cyber attack” in this illustration taken on July 19, 2023. Dado Ruvic/Illustration/Reuters

Attempted Takedown

The U.S. Department of Justice and other agencies have tied Blackcat to more than 1,000 victims worldwide and described it as one of the most prolific ransomware groups prior to law‑enforcement disruption operations.

In a December 2023 statement, the Justice Department said that over the previous 18 months, Blackcat had emerged as “the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world.”

Blackcat is believed to have collaborated with the prolific hacking gang known as “Scattered Spider,” which has targeted major businesses including MGM Resorts International and Caesars Entertainment.

Due to the global scale of the cybersecurity crimes, many of which targeted critical infrastructure both in the United States and around the world, multiple foreign law enforcement agencies have been involved in parallel investigations.

In an attempted takedown of Blackcat, which is known to have operated since 2020, U.S.-led international law enforcement seized several websites used by the group as well as hundreds of digital keys used to decrypt victims’ data.

In February 2024, the U.S. Department of State was offering rewards of up to $10 million for leads that could identify or locate BlackCat gang leaders in the aftermath of the 2024 Change Healthcare ransomware attack that disrupted prescription fulfillment in pharmacies across the United States for six days.

In March 2024, it was reported in outlets including BleepingComputer that a representative for Blackcat said in a hacking forum that the group was shutting down. This was regarded by some analysts as a classic “exit scam,” where hackers claim to be knocked out of commission before pocketing their partners’ money and starting afresh with a new name.

Reuters contributed to this report