Copyright Ars Technica
Helping companies pay ransoms to digital extortionists is kind of a weird business. On the one hand, you “negotiate” with cybercriminals and in so doing may drive down the costs of recovering from a particular ransomware incident. On the other hand, you’re helping criminals get paid, funding their operations and making further attacks more likely. And there’s always a temptation built in to this kind of work. Seeing lucrative sums being whisked away through cryptocurrency exchanges and “mixing services”… Realizing from up close just how vulnerable companies are… Learning that modern ransomware can operate as a service where you essentially “rent” the code from its developers in return for a cut of the profits… One day, you might wake up on the wrong side of the bed and ask yourself: “Why shouldn’t this money I’m directing to other criminals go to me, a far more worthy criminal, instead?” According to the FBI, this was what happened to three US-based cybersecurity professionals who went rogue over the last two years, planting their own malware into US-based businesses and reaping the sweet but illicit rewards. (Well—reward, actually. It turns out that extorting doctors’ offices and local manufacturing firms is more difficult than it looks. But more on that in a minute.) Of course, you do have to worry about when the FBI will kick in your door and you will end up (as one person in this story did) lamenting your choices to the very people with guns who are trying to take you down, blathering on about going to federal prison for the rest of your life, then buying one-way tickets to Paris and ending up in a cell. Pretty soon, your whole life has been upended. Affiliate revenue Kevin Martin worked as a ransomware negotiator for DigitalMint, a Chicago company that says it can help with “evaluating demands, sourcing legitimate cryptocurrency, and facilitating secure transactions to minimize financial impact and meet threat actor requirements quickly” after an attack. According to the FBI, in 2023, Martin took steps to become an “affiliate” of the BlackCat ransomware developers. BlackCat provides full-service malware, offering up modern ransomware code and dark web infrastructure in return for a cut of any money generated by affiliates, who find and hack their own targets. (And yes, sometimes BlackCat devs do scam their own affiliates.) Martin had apparently seen how this system worked in practice through his job, and he approached a pair of other people to help him make some easy cash. One of these people was allegedly Ryan Goldberg of Watkinsville, Georgia, who worked as an incident manager at the cybersecurity firm Sygnia. Goldberg told the FBI that Martin had recruited him to “try and ransom some companies.” In May 2023, the group attacked its first target, a medical company based in Tampa, Florida. The team got the BlackCat software onto the company’s network, where it encrypted corporate data, and demanded a $10 million ransom for the decryption key. Eventually, the company decided to pay up—though only $1.27 million. The money was paid out in crypto, with a percentage going to the BlackCat devs and the rest split between Martin, Goldberg, and a third, as-yet-unnamed conspirator. Success was short-lived, though. Throughout 2023, the extortion team allegedly went after a pharma company in Maryland, a doctor’s office, and an engineering firm in California, plus a drone manufacturer in Virginia. Ransom requests varied widely: $5 million, or $1 million, or even a mere $300,000. But no one else paid. By early 2025, an FBI investigation had ramped up, and the Bureau searched Martin’s property in April. Once that happened, Goldberg said that he received a call from the third member of their team, who was “freaking out” about the raid on Martin. In early May, Goldberg searched the web for Martin’s name plus “doj.gov,” apparently looking for news on the investigation. On June 17, Goldberg, too, was searched and his devices taken. He agreed to talk to agents and initially denied knowing anything about the ransomware attacks, but he eventually confessed his involvement and fingered Martin as the ringleader. Goldberg told agents that he had helped with the attacks to pay off some debts, and he was despondent about the idea of “going to federal prison for the rest of [his] life.” He was not arrested on the spot, however. On June 24, according to court documents, he received a “target letter” from a US Attorney’s Office, letting him know that he was officially a suspect in the investigation. The next day, Goldberg and his wife purchased one-way tickets to Paris. They got on their plane on June 27, and Goldberg was in Europe when he was charged by the US government. On September 21, he flew back to North America—but not to the US. Instead, Goldberg flew from Amsterdam to Mexico City, where he was promptly arrested and deported. While Martin was allowed out of prison on a $400,000 bond, Goldberg’s actions did not merit the same conditions. A federal magistrate judge ruled on October 9 that Goldberg would not be granted bail due to his “intent to evade law enforcement with no intent to return to the United States through his sudden departure to Europe with his wife on a one-way ticket after receipt of the target letter.” Goldberg is therefore waiting in a cell for trial, which could result in him being sent back to jail for 78 to 97 months if he accepts responsibility. (It could be longer if he does not accept responsibility but is later found guilty.) The whole wild story has been trickling out for months. Bloomberg noted the existence of the investigation in July, while specialist publications like CoinTelegraph covered the crypto angle and noted that ransomware payout rates have actually been dropping for some time. The Chicago Sun-Times advanced the story this week, noting that Goldberg and Martin were both fired by their respective companies. Both companies have said that they are not targets of the investigation. The whole situation is a bit surreal, given that court documents show that Goldberg, at least, was making good money—$214,000 a year. He lost that salary when he lost his job, and he also stopped paying the mortgage on his house when he flew to Europe. His decisions, which have already altered his life significantly, are likely to cause major ongoing complications for the family members left dealing with the fallout.
