The most valuable piece of information in a ransomware negotiation is not the decryption key. It is the victim's ceiling: the cyber-insurance limit and the internal reserve that decide how high a payment can go. Whoever holds that number sets the price. In the BlackCat cases that produced prison sentences this month, the people holding it were the negotiators the victims had hired to bring the number down. According to U.S. Department of Justice filings reported by The Hacker News and BleepingComputer, they were handing it to the gang instead.
A federal court handed Angelo Martino, a former ransomware negotiator at incident-response firm DigitalMint, a 70-month prison term for his part in the now-defunct BlackCat operation, also tracked as ALPHV. Two co-conspirators, Ryan Goldberg and Kevin Martin, who worked as ransomware negotiators at incident-response firms DigitalMint and Sygnia, were each sentenced to about four years. Prosecutors said Martino handled ransom talks on behalf of five victims while passing their confidential negotiating positions to the attackers.
How did an insider change the outcome of a ransom negotiation?
A ransomware negotiator sees both sides of the table. They know the victim's insurance limit and the highest figure leadership will approve, and they know the attacker's demand. Sharing the victim's numbers with the gang removes every bluff. The attacker stops guessing and anchors its demand just under the real ceiling, so the victim pays close to the maximum every time.
That is what the filings describe. Martino handed the gang each victim's insurance ceiling and the stance they planned to take into the talks, prosecutors said, so the crew could squeeze out the most it could. A negotiation is an information game, and one side had quietly been dealt the other's hand.
Two of them were not leaking. They were the affiliates.
The betrayal ran deeper than passing notes. Court filings say the group operated as BlackCat affiliates in their own right. They ran extortions end to end: taking data, threatening to leak it, then locking systems, and they routed a fifth of every payment back to the gang for the use of its tooling and leak site, according to BleepingComputer. The same kind of professional a company calls during a breach was, in other cases, the one causing it.
The sums were large. One nonprofit victim paid about $26.8 million and a financial-services firm paid roughly $25.66 million, per the same reporting. Investigators have seized around $10 million in assets from Martino alone, including cryptocurrency, vehicles, and a boat. DigitalMint's chief executive said the firm condemned the conduct and terminated the individuals when it learned of it. Neither firm has been accused of wrongdoing; the charges are against the individuals.
This is a supply-chain compromise, with people instead of packages
Security teams have learned to treat every imported software component as a trust decision, because a poisoned dependency runs with the privileges you grant it. The response layer is a dependency too. When you retain an outside firm during a breach, you import its people into your most sensitive rooms and give them your worst secrets on your worst day. If that component is malicious, no amount of endpoint tooling on your side sees it.
Our coverage of help-desk social engineering and extortion that never encrypts a file points the same direction: attackers keep moving to the trust and process layer that endpoint tooling does not watch. It is the same reason ransomware that runs inside a browser tab is hard to catch. A negotiator's laptop is not where your detection is looking, and the gang knows it.
How do you reduce insider risk from an incident-response vendor?
Treat the vendor's people as privileged third parties, because that is what they are. Separate the negotiation mandate from forensics and remediation, keep the insurance limit and reserve with named individuals under NDA, and log who on the vendor side reads financial and insurance documents. You cannot patch a trusted insider, but you can watch the access.
- Scope each vendor role to only the systems and documents it needs, and revoke access the moment the engagement ends.
- Hold the reserve and insurance ceiling with named people, not shared across the whole response team.
- Log and review who reached negotiation and financial records, and keep those logs outside the vendor's control.
- Ask prospective firms how they vet and monitor their own negotiators before you sign.
A managed detection layer earns its place here by watching the login and the access, not just the file locker: analysts reviewing who reached what, mapped to known attacker techniques. That is how we frame incident response and threat hunting, around visibility into the accounts and actions, not a promise to act on your behalf.
Put your response vendors under the same access review as your admins
The uncomfortable takeaway is that the trust you extend during a breach is itself an attack surface, and it is one most incident-response contracts never price in. Before the next incident, write the access review into the retainer: named personnel, scoped documents, logged reads, and a clear line between the people negotiating your ransom and the people who can see your ceiling. A crew that rents a 20 percent portal does not need a zero-day when it can rent your negotiator.