Full Report
A 41-year-old former ransomware negotiator has been sentenced to nearly six years (i.e., 70 months) in prison in the U.S. for their role in conspiring with the now-defunct BlackCat ransomware operators to extort multiple victims and working with two other cybersecurity professionals to target additional victims in 2023. In a sentencing memorandum, federal prosecutors described Martino as a "
Analysis Summary
# Incident Report: Insider Collusion and BlackCat Ransomware Extortion
## Executive Summary
Angelo Martino, a former ransomware negotiator and "double agent," was sentenced to 70 months in prison for conspiring with the BlackCat (ALPHV) ransomware group to extort his own clients. Martino breached his fiduciary duty by providing attackers with victims' confidential insurance limits and negotiation strategies to maximize ransom payments. Additionally, Martino collaborated with two other cybersecurity professionals to actively deploy ransomware against U.S. organizations throughout 2023.
## Incident Details
- **Discovery Date:** Investigation led to charges in late 2023/early 2024.
- **Incident Date:** April 2023 – November 2023.
- **Affected Organization:** Five undisclosed ransomware victims; multiple additional U.S. victims.
- **Sector:** Various (including Cybersecurity and Financial Services via the perpetrators’ employers).
- **Geography:** United States (Florida, Georgia, Texas).
## Timeline of Events
### Initial Access
- **Date/Time:** April 2023.
- **Vector:** Authorized Access / Insider Threat.
- **Details:** Martino used his position as a hired negotiator at DigitalMint to gain access to victim communications and sensitive financial data.
### Lateral Movement
- **Details:** Rather than technical lateral movement, the attackers utilized "professional lateral movement." Co-conspirators included an Incident Response (IR) manager at Sygnia and another employee at DigitalMint, leveraging their legitimate administrative access to various client environments.
### Data Exfiltration/Impact
- **Details:** Confidential negotiation strategies, insurance policy limits, and internal financial positions were leaked to BlackCat operators.
### Detection & Response
- **Discovery:** Federal investigation into BlackCat affiliates and suspicious activities by incident response personnel.
- **Response Actions:** Department of Justice (DOJ) prosecution; seizure of $10 million in assets including digital currency, luxury vehicles, and a fishing boat.
## Attack Methodology
- **Initial Access:** Authorized insider access via employment at cybersecurity and incident response firms.
- **Persistence:** Maintained through legitimate roles as "trusted advisors" during active crises.
- **Privilege Escalation:** Not applicable (Abuse of existing high-level administrative/legal privileges).
- **Defense Evasion:** Using the guise of "security professional" to mask malicious activities.
- **Credential Access:** Accessing victim insurance and financial credentials/documents.
- **Discovery:** Identifying victim "bottom-line" negotiation figures and insurance caps.
- **Lateral Movement:** Professional collusion between employees of different security firms (DigitalMint and Sygnia).
- **Collection:** Gathering sensitive internal negotiation memos.
- **Exfiltration:** Feeding data directly to BlackCat (ALPHV) ransomware operators.
- **Impact:** Financial extortion; maximizing ransom payouts; deployment of BlackCat ransomware.
## Impact Assessment
- **Financial:** Over $10 million in illicit proceeds seized from Martino alone; multiple inflated ransom payments by victims.
- **Data Breach:** Exposure of highly sensitive corporate negotiation strategies and insurance documents.
- **Operational:** Businesses were "nearly destroyed" due to the double-cross and secondary attacks.
- **Reputational:** Massive breach of trust in the cybersecurity incident response and ransomware negotiation industry.
## Indicators of Compromise
- **Network indicators:** N/A (Insider activity occurred via legitimate channels).
- **File indicators:** BlackCat (ALPHV) ransomware binaries.
- **Behavioral indicators:** Negotiators pushing for higher payments; leaks of confidential insurance caps to extortionists; unauthorized communication between IR managers and known threat actors.
## Response Actions
- **Containment:** Removal of the individuals from their respective firms (DigitalMint and Sygnia).
- **Eradication:** Federal indictment and guilty pleas of all three co-conspirators.
- **Recovery:** Seizure of $10 million for potential future restitution to victims.
## Lessons Learned
- **The "Negotiator Trap":** Hiring third-party negotiators introduces a new supply-chain risk; if the negotiator is compromised, the victim loses all leverage.
- **Vetting Vulnerabilities:** Even established cybersecurity firms can harbor malicious insiders in high-trust positions.
- **Conflict of Interest:** Lack of transparency in how negotiators are compensated or their prior affiliations can lead to extortion.
## Recommendations
- **Strict Vendor Vetting:** Conduct deep background checks on incident response partners and negotiators.
- **Principle of Least Privilege:** Limit the negotiator's access to only the information required for the task; do not automatically grant access to full insurance policies or total cash reserves.
- **Independent Monitoring:** Have internal legal counsel or a separate auditor monitor all communications between the negotiator and the threat actor.
- **Separation of Duties:** Ensure the firm negotiating the ransom is not the same firm managing the technical recovery/forensics to prevent a monopoly on the incident information.