my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

The Insider No One Suspected: DOJ Says a Ransomware "Helper" Was Running the Attack

John Z Black Mar 14, 2026 Ransomware #blackcat #ransomware #incident-response #doj #trust #insider-threat #alphv #digitalmint

When ransomware hits, you call in the cavalry. IR firm. Crypto negotiators. Legal counsel. You hand them your most sensitive information because you have to. You trust them with everything.

Turns out one of those trusted negotiators was playing for the other team.

The DOJ just charged Angelo Martino, a ransomware negotiator at DigitalMint, with feeding BlackCat/ALPHV operators confidential information from the very victims he was supposed to be helping. We’re talking insurance limits, negotiation strategy, internal comms. Everything an attacker needs to squeeze harder.

And squeeze they did. Prosecutors listed negotiations hitting $26 million, $25 million, $16 million, and $6 million. Martino allegedly participated in at least 10 attacks while collecting a cut of the payouts.

He’s not alone. Two co-conspirators already pleaded guilty in December. Ryan Goldberg worked for IR firm Sygnia, the guy brought in to investigate breaches. Kevin Martin was another DigitalMint negotiator. Between them, they pocketed roughly $1.2 million from a single attack on a Florida medical company.

So one person was in the forensics chair. Two were at the negotiation table. All three were helping run the attack.

DigitalMint says it suspended Martino the same day the DOJ came knocking and fired him two months later. They’ve since added auditable negotiation platforms and founder-level oversight on all negotiations. They’re also working with DHS on a registry for ransomware negotiators. Which, yeah, probably should have existed already.

Here’s the uncomfortable part for everyone else: most organizations pick their ransomware response partners under extreme duress. Whoever the insurer recommends. Whoever picks up the phone. That’s not vetting. That’s panic.

A few things worth doing before the next incident hits:

Pre-approve your vendors now. Not during the crisis. Get retainers in place with firms you’ve actually checked out.

Review your engagement agreements. Most don’t include conflict-of-interest provisions or background check requirements. Fix that.

Know who’s on your case. A good firm name doesn’t guarantee every individual on the team is clean.

And stop handing your full insurance policy limits to every external party in the room. Your negotiator doesn’t need to know your coverage ceiling. That info stays with legal.

None of this is bulletproof against a determined insider. But trust without structure is just hope. And hope is not a security control.

Read the full story on gNerdSEC