An unsettling incident has emerged: three U.S. professionals previously working in cybersecurity roles are now indicted for orchestrating a ransomware campaign in partnership with the ALPHV BlackCat ransomware group.
What we know
- The defendants include Ryan Clifford Goldberg (former incident-response manager at Sygnia) and Kevin Tyler Martin (former ransomware negotiator at DigitalMint). Both are charged with conspiracy to commit extortion and damage to protected computers.
- Between 2023 and 2024 the group is alleged to have targeted firms in Florida, Maryland, California and Virginia – including a medical-device company and a drone-manufacturer – demanding ransoms and receiving cryptocurrency payments in excess of US$1.2 million.
- The charges underscore a growing concern: qualified cybersecurity professionals have shifted from protective roles to offensive operations, indicating a major insider-threat dimension.
Implications for organisations
If your firm relies on external incident-response providers, managed security services, or has limited oversight of privileged roles, the following risks are amplified:
- The very tools and access granted to defenders can be repurposed by malicious insiders for lateral movement, ransomware deployment or data exfiltration.
- Trust assumptions around third-party vendors, security personnel and response providers must be re-evaluated. Access auditing and segregation become critical.
- Insider activity from trusted roles is harder to detect, as it may appear legitimate until damage occurs.
What you should do now
- Enforce least-privilege access and role-recertification for all internal and external security personnel.
- Maintain segmentation of environments (development, security operations, production) and monitor high-risk user actions, especially those involving crypto payments or negotiation services.
- Conduct regular vendor and partner risk assessments, including background checks, scope verification and behavioural monitoring of incident-response teams.
- Enable transparent auditing and logging of all privileged actions, communication with adversary groups, ransom-negotiation paths and crypto transfers tied to security processes.
- Expand threat-hunting to include historical activity by security roles, access patterns that change suddenly and any covert use of alter-ego alias accounts.
Conclusion
This case serves as a stark reminder: skilled cybersecurity professionals do not always remain defenders. Organisations must treat access, visibility and vendor oversight as core elements of security-not just firewalls and detection tools. When the insider threat includes those trusted with protecting your systems, the strategy must evolve.
About COE Security
COE Security partners with organisations in financial services, healthcare, retail, manufacturing and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customised training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customised CyberSecurity Services
In light of insider-driven threats such as this, COE Security also offers privileged-role risk audits, vendor/partner behavioural analytics, incident-response vendor oversight frameworks and insider-threat detection programmes. Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption and to stay updated and cyber safe.