Executive Summary
In April 2026, Angelo Martino, a former ransomware negotiator at DigitalMint, pleaded guilty to conspiring with the BlackCat/ALPHV ransomware group to extort U.S. companies in 2023. Martino exploited his position by providing BlackCat with confidential information about his clients' insurance policy limits and negotiation strategies, enabling the attackers to maximize ransom demands. Alongside co-conspirators Ryan Goldberg and Kevin Martin, Martino participated in deploying ransomware attacks, resulting in at least $1.2 million in Bitcoin payments from a single victim. Law enforcement has seized approximately $10 million in assets from Martino, including digital currency and luxury items. This case underscores the critical risk posed by insider threats within cybersecurity roles.
The incident highlights the evolving tactics of ransomware groups and the importance of stringent internal controls to prevent insider collusion. Organizations must reassess their security protocols and ensure clear separation of duties to mitigate such risks.
Why This Matters Now
This case underscores the critical risk posed by insider threats within cybersecurity roles, emphasizing the need for organizations to reassess security protocols and enforce clear separation of duties to prevent internal collusion.
Attack Path Analysis
The attackers gained initial access by exploiting vulnerabilities in remote desktop protocols and phishing emails. They escalated privileges by obtaining administrative credentials through credential dumping techniques. Lateral movement was achieved by leveraging compromised credentials to access additional systems within the network. Command and control were established using encrypted channels to communicate with the attackers' infrastructure. Exfiltration involved transferring sensitive data to external servers controlled by the attackers. The impact culminated in the deployment of BlackCat ransomware, encrypting critical files and demanding ransom payments.
Kill Chain Progression
Initial Compromise
Description
The attackers gained initial access by exploiting vulnerabilities in remote desktop protocols and phishing emails.
Related CVEs
CVE-2023-0669
CVSS 7.2A pre-authentication command injection vulnerability in Fortra's GoAnywhere MFT allows remote attackers to execute arbitrary code.
Affected Products:
Fortra GoAnywhere MFT – < 7.1.2
Exploit Status:
exploited in the wildCVE-2021-27876
CVSS 8.1An unauthenticated remote code execution vulnerability in Veritas Backup Exec allows attackers to execute arbitrary commands on the target system.
Affected Products:
Veritas Backup Exec – < 21.2
Exploit Status:
exploited in the wildCVE-2021-27877
CVSS 9.8An unauthenticated remote code execution vulnerability in Veritas Backup Exec allows attackers to execute arbitrary commands on the target system.
Affected Products:
Veritas Backup Exec – < 21.2
Exploit Status:
exploited in the wildCVE-2021-27878
CVSS 8.8An unauthenticated remote code execution vulnerability in Veritas Backup Exec allows attackers to execute arbitrary commands on the target system.
Affected Products:
Veritas Backup Exec – < 21.2
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing for Information
Compromise Accounts
Obtain Credentials from Password Stores
Application Layer Protocol: Web Protocols
Command and Scripting Interpreter: Windows Command Shell
Ingress Tool Transfer
Obfuscated Files or Information
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure the security of cryptographic keys
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
BlackCat ransomware insider threats directly compromise cybersecurity firms through rogue employees sharing confidential client negotiation strategies and insurance limits.
Financial Services
Ransomware negotiators accessing insurance policy limits and payment processes create significant exfiltration risks requiring enhanced zero trust segmentation controls.
Health Care / Life Sciences
BlackCat's hospital targeting history combined with insider threat vulnerabilities necessitates encrypted traffic monitoring and east-west traffic security implementations.
Higher Education/Acadamia
Universities face elevated BlackCat ransomware exposure requiring multicloud visibility controls and egress security policy enforcement against data exfiltration attempts.
Sources
- Ransomware Negotiator Pleads Guilty to BlackCat Schemehttps://www.darkreading.com/insider-threats/ransomware-negotiator-pleads-guilty-blackcat-schemeVerified
- Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Varianthttps://www.justice.gov/usao-sdfl/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variantVerified
- Profile: ALPHV/BlackCat ransomwarehttps://www.cyber.gc.ca/en/guidance/profile-alphvblackcat-ransomwareVerified
- Inside an Alphv/BlackCat ransomware attackhttps://www.techtarget.com/searchsecurity/news/366572372/Inside-an-Alphv-BlackCat-ransomware-attackVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware controls within the cloud environment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been constrained by reducing the exposure of vulnerable services through strict segmentation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited by enforcing strict identity-aware access controls.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement would likely have been constrained by enforcing east-west traffic controls.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control communications may have been restricted by monitoring and controlling outbound traffic.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts would likely have been limited by enforcing strict egress policies.
The attacker's ability to deploy ransomware may have been constrained by limiting their access to critical systems.
Impact at a Glance
Affected Business Functions
- Incident Response Services
- Client Confidentiality Management
Estimated downtime: 30 days
Estimated loss: $10,000,000
Confidential client information, including insurance policy limits and internal negotiation strategies.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Enforce Multi-Factor Authentication (MFA) to strengthen access controls and prevent unauthorized access.
- • Conduct regular security awareness training to educate employees on recognizing and avoiding phishing attempts.
