The Justice Department charged two U.S. ransomware negotiators and one ex-incident response manager, alleging they “switched seats” and carried out ransomware attacks—striking at the core of trust in the cyber hybrid-response industry, according to prosecutors. They said the defendants targeted businesses they were seemingly authorized to assist by hacking systems, taking information, installing ALPHV/BlackCat ransomware, and trying to recover money. The scenario highlighted how detailed knowledge of crisis plans was used against patients.
What the federal indictment alleges in this case
According to the Justice Department indictment and an FBI affidavit, two negotiators whom DigitalMint identified but would not confirm, and Ryan Clifford Goldberg, an ex-incident response manager at Sygnia, targeted up to five U.S. companies in a series of intrusions. Investigators suspect the defendants were affiliates of the ALPHV/BlackCat scheme and systematically breached business systems, stole sensitive data, and cryptographically signed documents, deploying a high-intensity ransomware infection that was sold as a commercial product.
An affidavit says that a Florida medical device maker spent over $1.2 million to recover its system access and deter more hacks, occasionally implicitly “targeting companies” and incentivizing entities to keep the sins of ex-customers secret. Another target was a Virginia drone manufacturer and a Maryland pharmaceutical company, according to public reports. A DigitalMint spokesman said the company has been working with authorities. The case addresses a critical issue of interest, with specialists inside the patients’ shield outwardly exploiting the undue goal inside the target system to commit theft.
How insider-enabled ransomware reshapes response norms
Negotiators hold a unique place in the incident response chain. They know the hot buttons: which backups aren’t working, how quickly operations must return, how much data was actually taken, and whether there was cyber insurance to pay out a settlement. It’s a matter of extortion in the final hands of enemies. Insider-enabled ransomware is not new. The culprits from the professional response world, on the other hand, are nearly unprecedented. The scenario will reopen the question of screening, regular monitoring, and conflict-of-interest provisions at response companies and regulatory organizations managing payments, conducting forensics, and representing victims in contact with criminal organizations.
ALPHV/BlackCat took a RaaS approach to ransomware: the core team created and managed the malware framework, while affiliates supplied the intrusions and rigged the playbook in effect for a significant portion of the money. It’s a world that has transformed the ransomware industry, with a lower barrier to entry and a business model that has evolved, giving criminals more power. Despite repeated record-shaking, ransomware is still generating money; Chainalysis indicated that ransomware revenues recovered strongly in 2023 to above $1.1 billion after a slump the preceding year.
Law enforcement has attempted to stymie the damage. U.S. authorities cast a shadow over the work of a prominent RaaS, RIPPER, in a large international collaboration last autumn, implying hundreds of millions in lost revenues, but the brokers who used the network have since rallied, reorganized, and updated to avoid enforcement pressure.
Compliance and operational safeguards under scrutiny
This prosecution further shifts the compliance lens onto the business of negotiating with extortionists. In many cases, the companies and insurers involved already face sanctions and AML risks, especially where threat actors overlap with companies and sanctioned entities cited by the Treasury Department. Extrapolate from these examples to expect more rigorous attestation requirements on incident response vendors and tighter board oversight around ransom discussions; neither best practice nor regulation lasts long as a voluntary measure, and the people buying it are losing.
Practical safeguards have been overdue for a long time and should include:
- Dual controls around decryptor handling and wallet access
- Strict separation between negotiation, forensics, and crypto payment responsibilities
- Deeper background checks and continuous monitoring for high-trust roles
- Auditable logs around all victim communications and wallet movements
- Explicit disclosures around conflicts of interest
Frameworks like those from CISA’s Stop Ransomware initiative and NIST can structure these controls, but enforcement will only be as relevant as contracts make it.
Victim organizations should also adjust their playbooks.
- Pre-approve short lists of vetted vendors
- Require outside counsel to oversee negotiations
- Never pay before an impartial forensic review has validated the transaction “links” to threat actors
The best market data from the ITR suggests that fewer organizations are paying, and median payments are stabilizing at $26 billion in 2020, reflecting greater resilience and increased regulatory caution; this case will exacerbate that trend.
What to watch as the ransomware case progresses
Key questions now include how the defendants allegedly got initial access, whether any client data has been misused from previous engagements, and whether additional affiliates or facilitators will be charged. Outcomes here could precipitate licensing or certification schemes for ransomware negotiators, akin to the guardrails that matured in digital forensics and private inquiry.
- No matter the court’s verdict, prosecutors’ message is clear: “the government’s concerns exceed ransomware operators and extend into their wider support system.” That message is just as straightforward for security managers—the trust must be validated and crisis vendors managed with the same precision applied to core financial and operational partners.
