U.S. prosecutors have charged three cybersecurity professionals who allegedly extorted money from multiple organizations using ALPHV/BlackCat. ransomware locker during free time.
In total, the three targeted five high-profile individuals: a doctor's office and engineering company based in California, a medical device company based in Florida, a pharmaceutical company based in Maryland, and a drone manufacturer based in Virginia.
The filing was filed in the U.S. District Court for the Southern District of Florida in October but was first reported a month later. Chicago Sun Timesnames Kevin Tyler Martin and an unnamed individual known as Co-Conspirator 1 (both worked as extortion negotiators for DigitalMint, a Chicago-based incident response firm), and Ryan Clifford Goldberg, an incident response manager at Sygnia Cybersecurity Services.
Three men are accused of hacking into their victims' networks, stealing data, and executing ALPHV/BlackCat. They allegedly demanded ransoms ranging from $300,000 to $10 million and received at least one payment in cryptocurrency amounting to approximately $1.27 million.
According to a September FBI affidavit, their cybercrime spree began in May 2023 when an unnamed conspirator obtained an ALPHV/BlackCat affiliate account, which he shared with Goldberg and Martin, identified in the affidavit as Co-Conspirator 2. They split the resulting profits among themselves after paying the gang its “share.” The money was laundered through a mixing service and several crypto wallets.
In the testimony initially shared TechCrunch, The FBI said that during an interview earlier this year, Goldberg admitted that he was recruited by Conspirator 1 and that he took part because he was trying to pay off his debts.
It is subsequently believed that Goldberg and his wife left the US on a one-way flight to France on June 27.
Computer Weekly understands that both DigitalMint and Sygnia are fully cooperating with the federal investigation.
As previously reported by our sister title SearchSecurity, Sygnia has implemented ALPHV/BlackCat attacks in the past. and has intimate knowledge of the gang, which has been involved in many powerful ransomware attacks in recent years, including against Las Vegas casinos. by Scattered Spider acting as a partner, and change healthcare.
Insider threat
Jamie Akhtar, CEO and Co-Founder CyberSmartdescribed the incident as one of the most unusual he had ever seen as a security professional, not least because the accused directed their actions outward rather than back at their employer.
“Insider threats, whether witting or unwitting, are a well-known risk across all sectors. However, when a cybersecurity professional uses the skills they have acquired on the job to attack other organizations, it poses a completely different challenge,” Akhtar said.
“Even among cybersecurity vendors, not everyone has pure intentions. [and] Just because an organization specializes in defense does not mean it is immune from becoming a source of risk. Technical and security staff are often highly skilled and trusted with privileged access, a combination that can be dangerous if oversight and support are lacking,” he said.
“For organizations, this highlights the importance of strict access controls, regular behavior and access reviews, and a culture that encourages open communication and welfare checks.
Akhtar added: “Financial pressure, stress or personal grievances can push people to take actions they may never have considered before. Prevention means not only monitoring systems, but also understanding and supporting the people who use them. Trust is important, but it always needs to be tested.”
