Home/ Blog/ Security news/ Article
Blog · Security news

Three ransomware responders secretly worked for BlackCat. Trust is the attack surface.

Three incident-response insiders at DigitalMint and Sygnia were sentenced for helping run BlackCat ransomware, one leaking victims' insurance limits.

Sealed document on a raised plinth under a stark overhead beam of light

The most valuable piece of information in a ransomware negotiation is not the decryption key. It is the victim's ceiling: the cyber-insurance limit and the internal reserve that decide how high a payment can go. Whoever holds that number sets the price. In the BlackCat cases that produced prison sentences this month, the people holding it were the negotiators the victims had hired to bring the number down. According to U.S. Department of Justice filings reported by The Hacker News and BleepingComputer, they were handing it to the gang instead.

A federal court handed Angelo Martino, a former ransomware negotiator at incident-response firm DigitalMint, a 70-month prison term for his part in the now-defunct BlackCat operation, also tracked as ALPHV. Two co-conspirators, Ryan Goldberg and Kevin Martin, who worked as ransomware negotiators at incident-response firms DigitalMint and Sygnia, were each sentenced to about four years. Prosecutors said Martino handled ransom talks on behalf of five victims while passing their confidential negotiating positions to the attackers.

How did an insider change the outcome of a ransom negotiation?

A ransomware negotiator sees both sides of the table. They know the victim's insurance limit and the highest figure leadership will approve, and they know the attacker's demand. Sharing the victim's numbers with the gang removes every bluff. The attacker stops guessing and anchors its demand just under the real ceiling, so the victim pays close to the maximum every time.

That is what the filings describe. Martino handed the gang each victim's insurance ceiling and the stance they planned to take into the talks, prosecutors said, so the crew could squeeze out the most it could. A negotiation is an information game, and one side had quietly been dealt the other's hand.

Two of them were not leaking. They were the affiliates.

The betrayal ran deeper than passing notes. Court filings say the group operated as BlackCat affiliates in their own right. They ran extortions end to end: taking data, threatening to leak it, then locking systems, and they routed a fifth of every payment back to the gang for the use of its tooling and leak site, according to BleepingComputer. The same kind of professional a company calls during a breach was, in other cases, the one causing it.

The economics of a trusted-insider extortion scheme
$26.8M
Largest single ransom paid
by one nonprofit victim
20%
Cut paid to BlackCat operators
for portal and malware access
$10M
Assets seized from one insider
crypto, vehicles, a boat
Source: U.S. Department of Justice filings, as reported by BleepingComputer and The Hacker News.

The sums were large. One nonprofit victim paid about $26.8 million and a financial-services firm paid roughly $25.66 million, per the same reporting. Investigators have seized around $10 million in assets from Martino alone, including cryptocurrency, vehicles, and a boat. DigitalMint's chief executive said the firm condemned the conduct and terminated the individuals when it learned of it. Neither firm has been accused of wrongdoing; the charges are against the individuals.

This is a supply-chain compromise, with people instead of packages

Security teams have learned to treat every imported software component as a trust decision, because a poisoned dependency runs with the privileges you grant it. The response layer is a dependency too. When you retain an outside firm during a breach, you import its people into your most sensitive rooms and give them your worst secrets on your worst day. If that component is malicious, no amount of endpoint tooling on your side sees it.

Our coverage of help-desk social engineering and extortion that never encrypts a file points the same direction: attackers keep moving to the trust and process layer that endpoint tooling does not watch. It is the same reason ransomware that runs inside a browser tab is hard to catch. A negotiator's laptop is not where your detection is looking, and the gang knows it.

How do you reduce insider risk from an incident-response vendor?

Treat the vendor's people as privileged third parties, because that is what they are. Separate the negotiation mandate from forensics and remediation, keep the insurance limit and reserve with named individuals under NDA, and log who on the vendor side reads financial and insurance documents. You cannot patch a trusted insider, but you can watch the access.

  • Scope each vendor role to only the systems and documents it needs, and revoke access the moment the engagement ends.
  • Hold the reserve and insurance ceiling with named people, not shared across the whole response team.
  • Log and review who reached negotiation and financial records, and keep those logs outside the vendor's control.
  • Ask prospective firms how they vet and monitor their own negotiators before you sign.

A managed detection layer earns its place here by watching the login and the access, not just the file locker: analysts reviewing who reached what, mapped to known attacker techniques. That is how we frame incident response and threat hunting, around visibility into the accounts and actions, not a promise to act on your behalf.

Put your response vendors under the same access review as your admins

The uncomfortable takeaway is that the trust you extend during a breach is itself an attack surface, and it is one most incident-response contracts never price in. Before the next incident, write the access review into the retainer: named personnel, scoped documents, logged reads, and a clear line between the people negotiating your ransom and the people who can see your ceiling. A crew that rents a 20 percent portal does not need a zero-day when it can rent your negotiator.

Topics

Frequently asked questions

What happened in the BlackCat insider case?

Three former incident-response insiders were sentenced for secretly aiding the BlackCat ransomware gang. Angelo Martino received 70 months, and two co-conspirators, Ryan Goldberg and Kevin Martin, got about four years each. They worked as ransomware negotiators at firms including DigitalMint and Sygnia, according to U.S. prosecutors.

How did the negotiator help the attackers?

He passed BlackCat the insurance ceilings and planned negotiating stances of the victims he was representing, according to prosecutors. That let the gang set its demand just below what each victim could pay, maximizing ransoms. He did this across five separate victim engagements.

Were the insiders only leaking data, or running attacks?

Court filings say two of the three did more than leak. They operated as BlackCat affiliates, demanding payments, threatening to publish stolen data, and encrypting systems, and paid the gang a 20 percent cut of proceeds for access to its portal. So they were both trusted responders and active attackers.

How much did the scheme extort from victims?

One nonprofit victim paid about $26.8 million and a financial-services firm paid roughly $25.66 million, according to reporting on the case. Investigators have seized around $10 million in assets from Martino alone, including cryptocurrency, vehicles, and a boat.

How can organizations reduce insider risk from IR vendors?

Treat vendor personnel as privileged third parties. Separate negotiation from forensics, keep the insurance limit and reserve with named people under NDA, and log who on the vendor side reads financial and negotiation records. Scope access to each role and revoke it when the engagement ends.

Are DigitalMint or Sygnia accused of wrongdoing?

No. The charges are against the individuals, not the firms. DigitalMint's chief executive said the company condemned the conduct and terminated the individuals when it learned of it. The case describes insiders abusing trusted positions, not company misconduct.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.