US federal prosecutors have charged two American cybersecurity experts with participating in a ransomware campaign linked to the notorious ALPHV/BlackCat group.

According to court documents unsealed this week in Miami, Ryan Goldberg, a former incident response specialist at Sygnia, and Kevin Martin, formerly employed at Chicago-based DigitalMint, are accused of helping the BlackCat gang encrypt victims’ networks and facilitate ransom payments through cryptocurrency channels.

The indictment alleges the two men abused their professional access and expertise to help the group attack companies in California, Florida, Virginia, and Maryland between May and November 2023.

‘Acting outside the scope of the employee’s duties’

DigitalMint, a firm that negotiates and processes ransom payments for cyberattack victims, confirmed that Martin was a former employee but said the company itself is cooperating with federal investigators and is not a target of the probe.

As reported by Reuters, DigitalMint confirmed in a statement that a former employee had been indicted for participating in ransomware operations, saying he was “acting completely outside the scope of his employment.” The company said it had no knowledge of this activity.

A third, unnamed co-conspirator “may have also been a company employee,” the company said.

Ransoms ranging from $300,000 to $10 million

BlackCat, also known as ALPHV, is one of the most active ransomware-as-a-service (RaaS) operations in the world. The group has targeted hospitals, manufacturers, and schools, often leaking stolen data when victims refuse to pay. Federal authorities had seized portions of its infrastructure in late 2023, but the operation re-emerged under new leadership.

According to the Chicago Sun Times, the attackers have demanded ransoms ranging from $300,000 to $10 million.

Some data recovery firms have been known to secretly pay ransomware actors while charging clients for restoration services.

This case underscores the significance of incident-response in the context of ransomware, while also renewing scrutiny to the role of crypto-payment firms in ransomware negotiations.

The defendants have been charged with conspiracy to commit computer fraud and money laundering. If convicted, they face up to 20 years in prison. Both men are expected to appear in federal court later this month.

You may also want to read:

Ukrainian Extradited to the US Over Alleged Role in Conti Ransomware

Florida X-Ray Clinic Takes a Year to Tell Patients that Hackers Stole their Medical Data

Motility Software Solutions Ransomware Attack Exposes Data of 766,000 Clients