Ransomware Negotiators Sentenced: Sygnia and DigitalMint Employees Get 4 Years for Acting as BlackCat Affiliates
Ryan Goldberg (Sygnia) and Kevin Martin (DigitalMint) were sentenced to 4 years in federal prison for acting as BlackCat ransomware affiliates while employed as incident response professionals — attacking the same clients they were hired to help.
Two cybersecurity professionals — a former Sygnia incident response manager and a DigitalMint ransomware negotiator — have been sentenced to four years in prison each for secretly acting as BlackCat ransomware affiliates while being paid by victims to respond to the attacks.
WASHINGTON, D.C. — Ryan Clifford Goldberg, 40, a former incident response manager at Sygnia, and Kevin Tyler Martin, 36, a ransomware negotiator at DigitalMint, were each sentenced to four years in federal prison on May 1, 2026 for conspiracy to obstruct commerce by extortion. The two were charged in November 2025 and pleaded guilty in December after prosecutors established that between May and November 2023, both men acted as BlackCat (ALPHV) ransomware affiliates — breaching victim networks, deploying ransomware, and then in some cases being hired by those same victims to negotiate with the attackers they had themselves deployed. A third accomplice, Angelo Martino, 41, also pleaded guilty in April and awaits sentencing.
Sentencing profile
The insider threat: negotiators as attackers
The scheme operated on a conflict of interest so brazen it was nearly invisible: Goldberg and Martin used their professional access and insider knowledge from cybersecurity roles to identify and attack victims, deploy BlackCat ransomware, then in some cases present themselves as the solution to the crisis they had created. Goldberg, as an incident response manager at Sygnia — a respected Israeli-founded cybersecurity firm — had professional credibility and access to victim environments. Martin, as a ransomware negotiator at DigitalMint, was in the business of communicating between ransomware victims and attackers. Between May and November 2023, both men used their positions to facilitate BlackCat affiliate operations targeting multiple US companies. Court documents established that the two coordinated their activities and split proceeds from ransom payments. The scheme unraveled when federal investigators connected the defendants' professional activities to the BlackCat affiliate infrastructure through digital forensics.
The BlackCat/ALPHV context
BlackCat, also known as ALPHV, was one of the most prolific and technically sophisticated ransomware-as-a-service operations of the 2023–2024 period. The group operated on a RaaS model — providing ransomware infrastructure to affiliates who conducted the actual attacks in exchange for a cut of ransom payments. BlackCat was responsible for the devastating attack on Change Healthcare in early 2024, which disrupted healthcare payments across the United States for weeks. The FBI disrupted BlackCat's infrastructure in December 2023 — within the same timeframe as Goldberg and Martin's activity. The group attempted to rebrand and continue operations but effectively collapsed in 2024 after the Change Healthcare attack drew massive law enforcement attention. All ransomware coverage is tracked on The CyberSignal, and our guide on data breaches: risks, response, and prevention covers the downstream consequences of ransomware attacks on victims.
The broader IR industry implications
The Goldberg-Martin case is the most significant confirmed instance of cybersecurity incident response professionals acting as ransomware affiliates against their own clients. The IR industry operates on an extraordinarily high trust model: when a company calls in incident response, they provide full network access, internal documentation, and sensitive operational data to the responders. A compromised IR professional has everything an attacker needs. The case has already prompted discussion within the industry about background screening, conflicts of interest disclosure, and ongoing monitoring of IR professionals who routinely access victim environments — conversations that were largely academic before this prosecution.
What to do now
Organizations engaging external incident response firms should implement formal vetting processes that go beyond professional reputation — including background checks, references from prior client engagements, and contractual conflict-of-interest disclosures. Ensure that IR engagements operate under a defined scope of access with logging enabled on all IR team activity. Do not grant IR consultants persistent access beyond the active engagement window. Ransomware victims should independently verify that their negotiator is not affiliated with the attacking group — a step that is difficult but not impossible through due diligence on the negotiator's firm and professional history.
The CyberSignal Analysis
Signal 01 — The IR industry's trust model is now a documented attack surface
The Goldberg-Martin prosecution establishes for the first time in federal court that the trust extended to incident response professionals can be weaponized from the inside. This is not a theoretical risk — it happened, it was prosecuted, and it resulted in four-year sentences. The IR industry's response to this case will define whether the profession implements structural safeguards or treats it as an isolated aberration. The latter is the wrong answer. The access IR professionals receive during engagements is among the most sensitive in the enterprise security ecosystem.
Signal 02 — Ransomware-as-a-service creates affiliate risk that extends beyond the core group
BlackCat's affiliate model — like all RaaS programs — means the core group bears limited operational responsibility for individual attacks. The affiliates conduct the intrusions, deploy the ransomware, and collect the proceeds. This prosecution targeted affiliates, not BlackCat operators. The RaaS model diffuses criminal responsibility across a distributed network of individuals — some of whom, as this case demonstrates, may hold professional cybersecurity credentials and client relationships. Disrupting RaaS infrastructure alone does not address the affiliate pipeline.
Signal 03 — Four years sends a signal, but the structural incentive remains
A four-year sentence for ransomware conspiracy is a meaningful deterrent signal — but it must be weighed against the financial incentives. Ransomware affiliates routinely earn six and seven-figure payouts per attack. The calculation changes only when the probability of prosecution rises significantly. The Goldberg-Martin case is notable precisely because it succeeded: digital forensics connected professional activity to affiliate infrastructure in a way that held up in court. More prosecutions of this kind — not just infrastructure seizures — are what shifts the risk calculus for potential affiliates.
