Executive Summary
In May 2026, two former cybersecurity professionals, Ryan Clifford Goldberg and Kevin Tyler Martin, were sentenced to four years in prison for their involvement in BlackCat (ALPHV) ransomware attacks targeting U.S. companies between May and November 2023. Utilizing their insider knowledge, they breached networks of multiple organizations, including a Maryland pharmaceutical company and a California engineering firm, demanding ransoms ranging from $300,000 to $10 million. One victim, a Tampa medical device manufacturer, paid $1.27 million after its servers were encrypted. (bleepingcomputer.com)
This case underscores the evolving threat landscape where trusted insiders exploit their positions to facilitate cyberattacks. The incident highlights the critical need for organizations to implement robust insider threat detection mechanisms and reinforces the importance of comprehensive cybersecurity measures to protect against both external and internal threats.
Why This Matters Now
The sentencing of these individuals serves as a stark reminder of the potential risks posed by insider threats within organizations. As cybercriminals continue to adapt their tactics, leveraging trusted positions to execute attacks, it is imperative for companies to enhance their security protocols and foster a culture of vigilance to mitigate such risks.
Attack Path Analysis
The attackers gained initial access through valid credentials obtained from a compromised third-party vendor. They escalated privileges by exploiting Active Directory vulnerabilities to obtain domain administrator credentials. Lateral movement was achieved using tools like Cobalt Strike to navigate the network. Command and control were maintained via remote desktop protocol connections. Data exfiltration involved transferring sensitive information to external servers. The impact culminated in the encryption of critical systems and ransom demands.
Kill Chain Progression
Initial Compromise
Description
Attackers gained access using valid credentials from a compromised third-party vendor.
MITRE ATT&CK® Techniques
Valid Accounts
Command and Scripting Interpreter: Windows Command Shell
Data Encrypted for Impact
File and Directory Discovery
Inhibit System Recovery
Network Share Discovery
Modify Registry
Indicator Removal: Clear Windows Event Logs
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
BlackCat ransomware directly targeted pharmaceutical companies and medical device manufacturers, exploiting insider knowledge to encrypt critical healthcare systems and steal sensitive patient data.
Computer/Network Security
Former cybersecurity professionals from incident response companies abused specialized knowledge and privileged access to conduct BlackCat attacks, undermining industry trust and security protocols.
Mechanical or Industrial Engineering
Engineering firms and drone manufacturers faced targeted BlackCat attacks with ransom demands up to $10 million, threatening intellectual property and critical manufacturing operations.
Aviation/Aerospace
Drone manufacturing companies were specifically targeted in BlackCat campaigns, risking compromise of sensitive aerospace technology and defense-related intellectual property through insider-facilitated attacks.
Sources
- US ransomware negotiators get 4 years in prison over BlackCat attackshttps://www.bleepingcomputer.com/news/security/us-ransomware-negotiators-get-4-years-in-prison-over-blackcat-attacks/Verified
- Two Americans Plead Guilty to Targeting Multiple U.S. Victims Using ALPHV BlackCat Ransomwarehttps://www.justice.gov/opa/pr/two-americans-plead-guilty-targeting-multiple-us-victims-using-alphv-blackcat-ransomwareVerified
- DOJ accuses US ransomware negotiators of launching their own ransomware attackshttps://techcrunch.com/2025/11/03/doj-accuses-us-ransomware-negotiators-of-launching-their-own-ransomware-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent initial credential compromise, it could limit the attacker's ability to exploit these credentials across the network.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict access controls and minimizing lateral movement opportunities.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely restrict lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and limit unauthorized command and control channels.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by controlling outbound traffic.
While Aviatrix CNSF may not prevent the encryption of systems, it could limit the spread of ransomware by containing the attack within segmented areas.
Impact at a Glance
Affected Business Functions
- Manufacturing Operations
- Research and Development
- Patient Care Services
- Engineering Design
Estimated downtime: 21 days
Estimated loss: $1,270,000
Sensitive corporate data, including proprietary designs and patient records, were at risk due to the ransomware attacks.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy East-West Traffic Security to monitor and control internal communications.
- • Utilize Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Establish Multicloud Visibility & Control to maintain oversight across all cloud environments.
