A former ransomware negotiator pleaded guilty this week to conspiring with the ransomware actor BlackCat/ALPHV to commit ransomware attacks against US companies in 2023.
The Department of Justice revealed the plea yesterday as part of its continuing campaign to take down BlackCat, a prolific ransomware actor that was previously responsible for attacks against hospitals and universities, as well as big name targets. For example, an affiliate was reportedly responsible for the now-infamous attack against Change Healthcare in 2024. As of now, the entity known as BlackCat has largely disappeared, but law enforcement action continues.
Angelo Martino, 41, of Land O’Lakes, Florida, collaborated with BlackCat/ALPHV actors to extort organizations beginning in April 2023. According to a statement from the Department of Justice, Martino abused his role at a US-based cyber incident response firm to assist the cybercriminals. While working on behalf of five victims, he “provided BlackCat attackers with confidential information about the negotiating position and strategy of his company’s clients without the clients’ or his employer’s knowledge or permission.”
That confidential information included victim insurance policy limits and internal negotiation positions, provided so BlackCat could maximize payouts from their victims. BlackCat paid Martino for his collaboration.
Three Cybersecurity Professionals Turned Rogue
Martino additionally admitted to conspiring with two other cybersecurity professionals, Ryan Goldberg of Georgia and Kevin Martin of Texas. They successfully deployed BlackCat ransomware between April and November of 2023 against multiple US-based victims. “After successfully extorting one victim for approximately $1.2 million in Bitcoin, the men split their share of the ransom three ways and laundered the funds through various means,” DOJ noted.
Law enforcement has seized approximately $10 million in assets from Martino to date, including multiple vehicles (such as a food truck and a luxury boat) as well as digital currency obtained as part of this ransomware activity.
Martino pleaded guilty to one count of extortion. Goldberg and Martin entered guilty pleas for the same charge in December. Martino will be sentenced July 9 and the others will be sentenced on April 30. All three face a maximum sentence of 20 years in prison.
Martino and Martin were employed by DigitalMint, while Goldberg was a Sygnia employee. Both firms said they cooperated fully with law enforcement. DigitalMint previously told Dark Reading that both guilty employees had been terminated, and that the actions of Martin and Martino violated its ethical standards. Meanwhile, Sygnia said Goldberg acted on his own and Sygnia clients were not affected by his actions.
Martino’s plea comes three days after the UK’s Tyler Buchanan pleaded guilty to wire fraud and aggravated identity theft, according to the DOJ. He conspired with others to breach at least a dozen companies via text-based phishing attacks while also stealing at least $8 million of virtual currency. The 24-year-old reportedly was affiliated with Scattered Spider.
“Clear Separation” Between Negotiation, Payment
Daniel Tobok, CEO of incident response firm Cypfer and longtime ransomware negotiator, tells Dark Reading that based on available information, Martino almost certainly had too much access to financial data and payment processes, allowing him to pass specific information to BlackCat. “I am a true believer that there should be separation between the person doing the negotiations and the process of payment,” Tobok says.
“When you have a clear separation, you have different people doing the negotiations, doing the strategy, and coming up with a number, they don’t have anything to monetize or benefit from,” he says, Those kinds of firewalls help reduce conflicts of interest and self-dealing.
Morey Haber, chief security advisor at BeyondTrust, says in an email that an uncomfortable takeaway from this incident is that trust, even for one’s protectors, should not be absolute.
“For ransomware victims, trust must always be verified, not implied by a company name, title, or even simply a website advertising negotiation services,” Haber writes. “Ransomware victims should separate negotiation (if legal), response (recovery), and forensic (remediation) roles while enforcing least privilege even for third parties consuming sensitive data about the incident.”
Click Here For The Original Source.
