The U.S. Department of Justice recently revealed the details of a ransomware case involving cybersecurity professionals directly participating in the crime. Two American men have admitted to using the ALPHV BlackCat ransomware to attack multiple victims across the United States, highlighting that ransomware threats are not only foreign but can also originate from within the industry itself.
(Previous background: Ransomware group Qilin launched a supply chain attack on the “Korean financial industry”! 28 companies affected, 2TB of sensitive data leaked)
(Additional background: Lockbit ransomware members plead guilty in the U.S.! Over $500 million in proceeds, mostly in Bitcoin, with sentences of over 25 years)

Table of Contents

• Cybersecurity professionals turned perpetrators
• Ransomware operates on a “franchise” model, profit sharing from ransoms
• Over a thousand victims worldwide, the U.S. previously took down the organization
• Up to 20 years in prison, sentencing in 2026

The U.S. Department of Justice announced via its official website that the Southern District of Florida Federal District Court has officially accepted guilty pleas from two American men. The two admitted that in 2023, they conspired to use the well-known ransomware ALPHV (BlackCat) to launch cyberattacks on multiple victims within the United States and obtained illegal profits through digital extortion. These actions constitute federal crimes.

Cybersecurity professionals turned perpetrators

According to court documents, the suspects are Ryan Goldberg, 40, from Georgia, and Kevin Martin, 36, from Texas. Between April and December 2023, the two, along with a co-conspirator, successfully deployed ALPHV BlackCat ransomware against multiple targets in the U.S.

Of particular concern is that all three co-conspirators previously worked in the cybersecurity industry, possessing professional knowledge of network security and system protection. They were expected to help companies defend against hackers but instead used their technical expertise to carry out extortion against businesses and organizations.

Ransomware operates on a “franchise” model, profit sharing from ransoms

The Department of Justice states that ALPHV BlackCat operates under a “Ransomware-as-a-Service” (RaaS) model. Developers provide the ransomware tools and illegal platforms, while actual attack operations are carried out by “franchisees.” Goldberg and others agreed to pay 20% of each successful ransom to the ALPHV BlackCat management to gain access.

In one successful attack, the three extorted approximately $1.2 million worth of Bitcoin from a single victim. After sharing the proceeds, they used various methods to launder the funds to obscure their source.

Over a thousand victims worldwide, the U.S. previously took down the organization

The DOJ further explained that ALPHV BlackCat had launched attacks against over 1,000 victims globally, making it one of the most destructive ransomware organizations in recent years.

As early as December 2023, the FBI launched a large-scale law enforcement operation against the group. They developed decryption tools to help hundreds of victims recover their systems, preventing an estimated $99 million in ransom losses. Simultaneously, multiple illegal websites operated by ALPHV BlackCat were seized.

Up to 20 years in prison, sentencing in 2026

Goldberg and Martin each pleaded guilty to one count of conspiracy to “obstruct or influence commercial activity through extortion,” violating U.S. federal law. They are scheduled for sentencing on March 12, 2026, with a maximum penalty of 20 years in prison for each count. The actual sentences will be determined by the judge based on sentencing guidelines and case circumstances.

The Department of Justice emphasizes that ransomware threats are not only from overseas; there are also high-risk internal criminals within the U.S. Law enforcement will continue to focus on the ransomware ecosystem, investigating not only the actual attackers but also any individuals or organizations that knowingly assist or profit from criminal activities.

The agency also urges businesses and organizations to remain vigilant. In the event of a ransomware incident, they should report to law enforcement immediately to reduce losses and prevent further victims.