Could this have been prevented?

Implementing robust access controls, continuous monitoring, and insider threat detection programs could have mitigated the risk posed by malicious insiders.

Insider Threats: The 2023 ALPHV Ransomware Exploits by Cybersecurity Professionals

An in-depth analysis of how trusted cybersecurity experts turned adversaries, leveraging ALPHV/BlackCat ransomware to target U.S. organizations in 2023.

Published: May 1, 2026

Share this on:

Executive Summary

In 2023, former cybersecurity professionals Ryan Goldberg and Kevin Martin exploited their expertise to conduct ransomware attacks using the ALPHV/BlackCat variant. Over a six-month period, they targeted multiple U.S. organizations, including a Florida medical company, a Maryland pharmaceutical firm, a California doctor's office, a California engineering company, and a Virginia drone manufacturer. Their actions led to significant operational disruptions and financial losses, with at least one victim paying a $1.3 million ransom. (justice.gov)

This case underscores the alarming trend of insiders leveraging privileged access and knowledge for malicious purposes. It highlights the critical need for robust internal controls, continuous monitoring, and stringent access management to mitigate insider threats within organizations.

Why This Matters Now

The incident emphasizes the growing risk of insider threats in cybersecurity, where trusted professionals misuse their access for personal gain. Organizations must prioritize comprehensive security measures to detect and prevent such internal exploits.

Attack Path Analysis

The attackers gained initial access by exploiting their insider positions to obtain valid credentials. They escalated privileges by leveraging their knowledge of internal systems to access higher-level accounts. Using these elevated privileges, they moved laterally across the network to identify and access critical systems. They established command and control channels to maintain persistent access and manage the deployment of ransomware. Sensitive data was exfiltrated to external servers prior to encryption. Finally, they deployed the ALPHV/BlackCat ransomware to encrypt data and extort payments from the victims.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

The attackers exploited their insider positions to obtain valid credentials, granting them initial access to the network.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1078

Valid Accounts

Initial Access

T1566

Phishing

Impact

T1486

Data Encrypted for Impact

Command and Control

T1071

Application Layer Protocol

Execution

T1059

Command and Scripting Interpreter

Defense Evasion

T1027

Obfuscated Files or Information

Discovery

T1083

File and Directory Discovery

Exfiltration

T1041

Exfiltration Over C2 Channel

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Malicious Software Prevention

Control ID: 6.4.3

The use of ransomware indicates a failure in preventing malicious software, violating PCI DSS requirements for malware protection.

NYDFS 23 NYCRR 500 – Cybersecurity Program

Control ID: 500.02

The incident demonstrates inadequate implementation of a comprehensive cybersecurity program as mandated by NYDFS regulations.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights deficiencies in the institution's ICT risk management framework, contravening DORA's requirements for managing ICT risks.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

Unauthorized access and misuse of credentials indicate lapses in identity and access management controls as outlined in CISA's Zero Trust Maturity Model.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reflects non-compliance with NIS2 Directive's requirements for implementing appropriate cybersecurity risk management measures.

HIPAA – Risk Analysis

Control ID: 164.308(a)(1)(ii)(A)

The exposure of patient data indicates a failure to conduct accurate and thorough risk analysis as required by HIPAA regulations.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Health Care / Life Sciences

Direct ransomware targeting with patient data exposure, encrypted traffic vulnerabilities, and HIPAA compliance failures creating critical healthcare infrastructure risks.

Pharmaceuticals

Ransomware attacks compromising drug development data, supply chain disruption, and regulatory compliance violations through lateral movement and exfiltration.

Computer/Network Security

Insider threat exploitation by security professionals using zero trust segmentation gaps and privileged access for ransomware deployment and negotiation fraud.

Financial Services

Ransomware negotiator compromise enabling payment extortion, PCI compliance violations, and multicloud visibility gaps exposing financial transaction data.

Sources

Former incident responders sentenced to 4 years in prison for committing ransomware attackshttps://cyberscoop.com/incident-responders-ryan-goldberg-kevin-martin-sentenced-ransomware/
Verified

Two Americans Who Attacked Multiple U.S. Victims Using ALPHV BlackCat Ransomware Sentenced to Prisonhttps://www.justice.gov/opa/pr/two-americans-who-attacked-multiple-us-victims-using-alphv-blackcat-ransomware-sentenced

Verified

Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Varianthttps://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant

Verified

Profile: ALPHV/BlackCat Ransomwarehttps://www.cyber.gc.ca/en/guidance/profile-alphvblackcat-ransomware

Verified

Frequently Asked Questions

The incident revealed deficiencies in internal controls and monitoring mechanisms, allowing trusted insiders to exploit their access without detection.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attackers' ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and controlled access policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attackers' initial access may have been limited to specific segments, reducing their ability to reach critical systems.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attackers' ability to escalate privileges could have been constrained, limiting their access to higher-level accounts.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attackers' lateral movement may have been restricted, reducing their ability to access critical systems.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attackers' command and control channels could have been detected and disrupted, limiting their persistent access.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attackers' data exfiltration efforts may have been blocked, reducing the risk of data loss.

Impact (Mitigations)

The deployment of ransomware could have been limited to specific segments, reducing the overall impact.

Impact at a Glance

Affected Business Functions

Patient Data Management
Pharmaceutical Research
Engineering Design
Drone Manufacturing

Operational Disruption

Estimated downtime: 21 days

Financial Impact

Estimated loss: $1,300,000

Data Exposure

Patient records, proprietary pharmaceutical research data, engineering schematics, and drone design documents.

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement.
• Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows.
• Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities across environments.
• Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
• Establish Threat Detection & Anomaly Response mechanisms to identify and mitigate malicious behaviors promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Insider Threats: The 2023 ALPHV Ransomware Exploits by Cybersecurity Professionals

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Valid Accounts

Phishing

Data Encrypted for Impact

Application Layer Protocol

Command and Scripting Interpreter

Obfuscated Files or Information

File and Directory Discovery

Exfiltration Over C2 Channel

Potential Compliance Exposure

PCI DSS 4.0 – Malicious Software Prevention

NYDFS 23 NYCRR 500 – Cybersecurity Program

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Cybersecurity Risk Management Measures

HIPAA – Risk Analysis

Sector Implications

Health Care / Life Sciences

Pharmaceuticals

Computer/Network Security

Financial Services

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads