Overview
A federal court has sentenced Ryan Goldberg and Kevin Martin — both described as cybersecurity professionals — to prison terms for their roles in a ransomware scheme conducted in partnership with the ALPHV/BlackCat criminal syndicate. The two men leveraged their technical expertise to deploy BlackCat ransomware against multiple victims, operating under an affiliate arrangement in which they remitted 20 percent of collected ransom payments to the ransomware's operators.
The case, announced by the Department of Justice on April 30, 2026, is notable because both defendants held professional backgrounds in the security industry before turning to criminal activity. Prosecutors did not publicly specify all victim categories, but BlackCat has been widely documented as a threat actor group that has targeted healthcare organizations, including hospitals and medical practices, with particular aggression.
The sentencing closes a significant chapter in federal efforts to prosecute ransomware affiliates — not just the operators of criminal infrastructure, but the downstream actors who carry out individual attacks and directly profit from ransom collections.
## Key developments
Affiliate model prosecuted at the operator level. Goldberg and Martin did not build BlackCat's ransomware infrastructure; they licensed it through an affiliate arrangement. Their prosecution demonstrates that federal law enforcement is actively pursuing the full affiliate chain, not limiting enforcement actions to core ransomware developers or administrators.
Insider expertise weaponized against victims. Both defendants possessed professional cybersecurity knowledge, which prosecutors implied facilitated the attacks. The case reinforces longstanding concerns about insider threat vectors and the potential for credentialed individuals to exploit their technical knowledge for criminal gain.
Twenty-percent revenue share tied defendants directly to the criminal enterprise. The documented financial arrangement — in which Goldberg and Martin paid ALPHV/BlackCat a 20 percent cut of ransom proceeds — provided prosecutors with a clear evidentiary basis for conspiracy charges, illustrating how ransomware-as-a-service financial structures create legal exposure across the affiliate network.
DOJ continues prioritizing ransomware affiliate prosecutions. This sentencing follows a broader federal pattern of dismantling ransomware ecosystems by targeting affiliates who might otherwise consider themselves at lower legal risk than core developers. The action signals sustained prosecutorial intent targeting those who deploy, not just those who build, ransomware tools.
Industry impact
Healthcare remains the most targeted sector in ransomware campaigns, a pattern that federal regulators and independent researchers have documented consistently. The HHS Office for Civil Rights has noted that ransomware incidents constitute reportable breaches under HIPAA when electronic protected health information is present on affected systems, regardless of whether data is confirmed exfiltrated. BlackCat/ALPHV has appeared in multiple HHS advisories and FBI threat intelligence publications as a direct and persistent threat to the healthcare sector.
The IBM Cost of a Data Breach Report has repeatedly ranked healthcare as the industry with the highest average breach cost of any sector — a figure that reflects both the sensitivity of health data and the operational disruption that ransomware causes in clinical environments. Affiliate-model ransomware compounds this risk because it lowers the technical barrier to launching an attack, enabling a broader pool of actors to target healthcare entities that may lack enterprise-level security resources.
## What this means for independent practices
- Review vendor and contractor access immediately. The Goldberg-Martin case illustrates that credentialed individuals with legitimate-appearing access can pose serious threats. Audit which external parties currently hold active access to clinical systems and remove or restrict any credentials that are not operationally required.
- Confirm ransomware coverage in your cyber liability policy. Not all cyber insurance policies cover ransomware payments or the full cost of recovery. Review policy language with your broker before an incident occurs.
- Test your incident response and backup procedures. If ransomware were deployed against your systems today, confirm whether your backup copies are air-gapped or otherwise isolated from your primary network. Untested backups frequently fail at the moment of recovery. - Report promptly if an incident occurs. Under HIPAA, ransomware affecting systems that contain ePHI is presumed a breach. Notify HHS and affected individuals within the regulatory timeframe unless a documented risk assessment supports a contrary conclusion.
- Brief clinical staff on phishing and social engineering. Most ransomware deployments begin with a successful phishing attempt or exploitation of exposed credentials. Regular, scenario-based staff training reduces the probability of initial access.
Independent practices should treat the Goldberg-Martin sentencing not as a distant criminal matter but as a signal that ransomware affiliate activity is actively prosecuted and that healthcare targets remain squarely in scope. Long-term posture improvement means moving from reactive to continuous: scheduled risk analyses, documented access reviews, and regular tabletop exercises that include practice leadership, not just IT staff.
What would have prevented this
Role-based access controls (RBAC): Restricting system access to the minimum necessary for each user role limits the blast radius of any single compromised or malicious account. Granular access controls would have constrained what an attacker — including a credentialed insider — could reach after gaining initial entry.
Privileged access monitoring: Continuous logging and behavioral analysis of accounts with elevated privileges can surface anomalous activity — such as lateral movement, bulk file access, or unusual authentication patterns — before ransomware is fully deployed.
Network segmentation: Dividing clinical, administrative, and backup environments into isolated network segments prevents ransomware from propagating freely across systems once an initial foothold is established.
Endpoint detection and response (EDR) with behavioral analysis: Signature-based antivirus alone does not reliably detect modern ransomware variants, including BlackCat, which is designed to evade static detection. Behavioral monitoring at the endpoint level can identify encryption activity and trigger automated containment before widespread damage occurs.
Immutable, offline backup architecture: Maintaining regularly tested backups that ransomware cannot reach — through air-gapping or write-once storage configurations — is the single most effective recovery control available to practices of any size, ensuring clinical continuity without reliance on ransom payment.