Full Report
Plus: Court papers reveal nonprofit paid a ransom worth nearly $26.8 million The third of three former ransomware negotiators accused of assisting the ALPHV/BlackCat ransomware gang in extorting US businesses has pleaded guilty, months after his two co-workers did the same.…
Analysis Summary
# Threat Actor: Angelo Martino (and Co-conspirators)
## Attribution & Identity
- **Actor Name:** Angelo Martino (aged 41).
- **Aliases/Co-conspirators:** Ryan Clifford Goldberg and Kevin Tyler Martin.
- **Affiliations:** Formerly employed as ransomware negotiators at **DigitalMint** (referred to as "Company-1" in court documents).
- **Associated Groups:** **ALPHV/BlackCat** (as collaborators/insiders).
## Activity Summary
Between approximately April 2023 and November 2023, Martino and his associates operated as "rogue negotiators." While ostensibly hired to assist victims in minimizing ransom payments, they secretly collaborated with the ALPHV/BlackCat ransomware gang. Martino provided the attackers with confidential internal data to ensure the criminals could demand the maximum possible amount. Furthermore, the trio split off to conduct their own independent ransomware attacks against at least five additional companies, demanding over $16 million in those instances.
## Tactics, Techniques & Procedures
- **Insider Threat / Information Leakage:** Martino provided ALPHV with sensitive victim data, including cyber insurance policy limits and internal sentiment regarding negotiations.
- **Negotiation Sabotage:** Acting as the "intermediary," the actor manipulated the negotiation process to favor the extortionists' financial goals.
- **Independent Extortion:** Beyond assisting ALPHV, the trio deployed their own ransomware to extort businesses directly.
- **Money Laundering:** The actors split ransom proceeds and laundered the funds through the purchase of luxury assets (vehicles, real estate, and boats).
- **TTPs:**
- Information Theft (Insurance details/financial standing).
- Extortion/Ransomware Deployment.
- Cryptocurrency Laundering.
## Targeting
- **Sectors:**
- Hospitality
- Non-profit
- Financial Services
- Retail
- Medical/Healthcare
- Medical Device Manufacturing
- **Geography:** United States (specifically mentioned victims in the Southern District of Florida and nationwide).
- **Victims:**
- A non-profit (paid ~$26.8 million).
- A financial services company (paid ~$25.6 million).
- A hospitality victim (paid ~$16.5 million).
- A retail company (paid ~$6.1 million).
- A medical device company (paid ~$1.27 million).
## Tools & Infrastructure
- **Malware Families:** ALPHV/BlackCat ransomware; unspecified secondary ransomware used for independent campaigns.
- **Assets Seized:**
- Digital currency (Cryptocurrency).
- 1999 Nissan Skyline.
- 2024 Polar RZR-24 ATV.
- Luxury fishing boat.
- Food truck.
- Real estate (two Florida properties).
## Implications
This case highlights a critical "trust gap" in the Incident Response (IR) industry. The involvement of professional negotiators as double agents for ransomware groups represents a significant strategic threat, as these individuals possess intimate knowledge of a victim's financial breaking point. It underscores the risk of insider threats within the very cybersecurity firms hired to mitigate attacks, potentially leading to inflated ransom payments and prolonged recovery times.
## Mitigations
- **Third-Party Background Checks:** Conduct rigorous and ongoing vetting of internal and third-party incident response personnel.
- **Principle of Least Privilege:** Limit the access of external negotiators to only the data strictly necessary for the negotiation (e.g., avoid sharing full insurance policy documents or total "walk-away" figures with external contractors).
- **Multi-Party Oversight:** Ensure that all negotiation communications and strategies are reviewed by unbiased internal legal counsel or a separate auditing firm.
- **Conflict of Interest Disclosures:** Require IR firms to provide transparency regarding their internal security controls and historical vetting of their "negotiation" staff.