Full Report
The U.S. Department of Justice charged another former DigitalMint employee for his involvement in an insider scheme in which ransomware negotiators secretly partnered with the BlackCat (ALPHV) ransomware operation. [...]
Analysis Summary
# Threat Actor: BlackCat (ALPHV) Affiliate Insider Group
## Attribution & Identity
* **Primary Actors:**
* **Angelo Martino** (Former DigitalMint employee; previously identified as "Co-Conspirator 1")
* **Kevin Tyler Martin** (Former DigitalMint employee)
* **Ryan Goldberg** (Former Sygnia incident response manager)
* **Associated Groups:** BlackCat (ALPHV) Ransomware-as-a-Service (RaaS) operation.
* **Identity Type:** Malicious Insiders / Cybercrime Affiliates.
## Activity Summary
Between April 2023 and April 2025, these individuals operated as an insider threat cell while employed at cybersecurity and incident response firms (DigitalMint and Sygnia). They exploited their positions as ransomware negotiators and incident responders to facilitate attacks. Martino specifically leaked confidential negotiation details to the BlackCat operators to undermine victim leverage and ensure ransom payments. The group acted as BlackCat affiliates, conducting their own attacks and paying a 20% "commission" to the BlackCat administrators for infrastructure access.
## Tactics, Techniques & Procedures
* **Insider Threat:** Leveraging legitimate employment at IR firms to access victim data and negotiation strategies.
* **Double Extortion:** Threatening to leak stolen data on extortion portals to compel payment.
* **Collusion:** Sharing real-time internal negotiation intelligence with the ransomware threat actors (ALPHV).
* **Ransomware-as-a-Service (RaaS):** Utilizing the BlackCat payload and extortion infrastructure.
* **Financial Laundering/Kickbacks:** Facilitating ransom payments and splitting proceeds (80/20 split) with the core RaaS group.
## Targeting
* **Sectors:**
* Healthcare (Medical device manufacturers, medical facilities)
* Legal (Law firms)
* Education (School districts)
* Financial Services
* **Geography:** Primarily United States (Tampa, FL specifically mentioned).
* **Victims:**
* A Tampa-based medical device manufacturer (Paid $1.27 million).
* At least five other U.S.-based organizations.
* Clients of DigitalMint and Sygnia.
## Tools & Infrastructure
* **Malware:** BlackCat (ALPHV) Ransomware.
* **Infrastructure:**
* BlackCat Extortion Portal (Used for data leaks).
* Internal Incident Response (IR) communication channels (Exploited by insiders).
## Implications
This case highlights a critical strategic risk in the cybersecurity ecosystem: the "corrupt negotiator" or "insider responder." By infiltrating the very firms hired to mitigate ransomware, the actors eliminated the victim's information advantage. This compromise erodes trust in incident response vendors and demonstrates that even highly sophisticated RaaS groups like BlackCat actively benefit from collusion with Western cybersecurity professionals.
## Mitigations
* **Internal Controls:** Implement strict "need-to-know" access controls for sensitive negotiation data and victim files within IR firms.
* **Background Vetting:** Enhanced and continuous background screening for employees in high-trust positions (negotiators, forensic analysts).
* **Separation of Duties:** Ensure that the personnel handling the technical IR do not have sole authority or unmonitored access to the negotiation strategy.
* **Audit Logging:** Comprehensive logging of access to case management systems to identify suspicious patterns of data exfiltration or unauthorized access by employees.
* **Multi-Party Negotiation:** Organizations should involve legal counsel and multiple internal stakeholders in negotiations to provide oversight of the external firm's conduct.