Florida Man Working as a Ransomware Negotiator Pleads Guilty to Conspiracy to Deploy Ransomware and Extort U.S. Victims

Threat Overview

A Florida-based ransomware negotiator has pleaded guilty to conspiracy charges for colluding with the BlackCat ransomware operation to extort U.S. healthcare and business victims. This case involves three cybersecurity professionals who allegedly leveraged their technical expertise and victim relationships to deploy BlackCat ransomware and facilitate ransom negotiations. The defendants — including Ryan Goldberg of Georgia and Kevin Martin of Texas, who pleaded guilty in December — face sentencing in April 2025. This prosecution exposes a critical threat model: insiders with legitimate cybersecurity credentials weaponizing trusted access and industry knowledge to execute attacks from within the security ecosystem itself.

Attack Vector & Tactics

BlackCat (also known as ALPHV) operates as a ransomware-as-a-service platform that encrypts victim systems and demands payment for decryption keys. The conspiracy charge indicates the defendants didn't just respond to breaches — they actively participated in targeting and extorting victims. Key tactics in this model include:

• Insider positioning: Using roles as negotiators or security consultants to identify vulnerable targets
• Dual-use platforms: Exploiting negotiation infrastructure that legitimately connects victims with attackers
• Trust exploitation: Leveraging professional credibility to gain victim confidence during extortion
• Revenue sharing: Profiting from ransom payments through affiliate or referral structures

For healthcare practices, this reveals a disturbing evolution: threat actors are no longer just external criminals. They can be individuals embedded in the security industry itself, with privileged visibility into defensive gaps and incident response processes.

Defense Measures

This case underscores that trust verification must extend to everyone in your security supply chain:

• Vet all vendors: Request references, verify credentials independently, and search for enforcement actions or litigation history before engaging security consultants or incident response firms
• Document vendor access: Maintain audit logs of who accessed your systems, when, and what they viewed — especially third parties conducting assessments or responding to incidents
• Limit access scope: Grant vendors only the minimum access required to complete their work, and revoke it immediately upon completion
• Require BAAs: Even security vendors handling ePHI need Business Associate Agreements with explicit data handling and breach notification terms
• Verify certifications: Confirm that claimed security certifications (CISSP, CISM, etc.) are current and legitimate through issuing body databases

What This Means for Your Practice

If your practice uses third-party vendors for risk assessments, penetration testing, or incident response, this case demands a harder look at who has keys to your systems. The defendants in this case weren't darknet criminals operating from overseas — they were U.S.-based professionals with legitimate industry presence. Healthcare practices are particularly vulnerable because HIPAA violations create dual leverage: ransomware attackers can threaten both operational disruption and regulatory penalties for data exposure. Incidents like this often involve extended access periods where conspirators map networks, identify backups, and catalog data value before executing attacks. The average breach lifecycle spans 258 days (IBM, 2024), giving insiders significant opportunity to prepare multi-stage extortion campaigns.