From Negotiator to Collaborator: The Shocking Fall of a Ransomware Insider

When a cyberattack hits, companies turn to incident response professionals for help. But what happens when the negotiator is secretly working for the criminals? This unsettling question became reality as Angelo Martino, a seasoned ransomware negotiator, admitted to betraying his clients and conspiring with the notorious BlackCat/ALPHV ransomware group. The case has shaken the cybersecurity world, revealing a dark underbelly where trust can be weaponized - and sold to the highest bidder.

The Department of Justice’s revelations paint a disturbing picture: Martino, 41, used his inside access at a US-based incident response firm to feed BlackCat attackers privileged information about victim companies. This included details like insurance policy limits and negotiation strategies - information meant to help victims, not maximize criminal profits. Instead, Martino’s betrayal enabled BlackCat to squeeze higher ransoms, weaponizing his clients’ own defenses against them.

Martino wasn’t acting alone. He conspired with two other cybersecurity insiders, Ryan Goldberg and Kevin Martin, to deploy BlackCat ransomware against multiple US organizations between April and November 2023. After extracting $1.2 million in Bitcoin from one victim, the trio laundered their cut through various channels. Law enforcement’s asset seizures - ranging from a food truck to a luxury boat and millions in digital currency - underscore the scale of the operation.

Both DigitalMint and Sygnia, the employers of the guilty parties, have stressed full cooperation with authorities and immediate termination of the rogue insiders. Their statements echo a larger industry concern: even trusted professionals can pose a threat when oversight and internal controls fail.

Experts warn this case is a wake-up call. Daniel Tobok, CEO of Cypfer and an experienced ransomware negotiator, argues for a strict separation between negotiation and payment functions. “When you have a clear separation, those involved have nothing to gain personally,” Tobok explains, emphasizing the need for firewalls to prevent conflicts of interest. Morey Haber, chief security advisor at BeyondTrust, adds that trust must be continually verified - even for those hired to protect.

This breach of trust highlights a growing risk: the insider threat. As ransomware attacks become more sophisticated, the defenders themselves can become the weakest link, especially when motivated by greed or coercion. For organizations facing ransomware, the lesson is clear - trust, but verify, and build robust internal safeguards to protect against betrayal from within.

As Martino and his co-conspirators await sentencing, their story serves as a chilling reminder: in the shadowy world of cybercrime, the line between protector and predator can be razor-thin. For victims and responders alike, vigilance and strong internal controls are now more crucial than ever.

WIKICROOK

• Ransomware: Ransomware is malicious software that encrypts or locks data, demanding payment from victims to restore access to their files or systems.
• Incident Response: Incident response is the structured process organizations use to detect, contain, and recover from cyberattacks or security breaches, minimizing damage and downtime.
• Insider Threat: An insider threat is when someone within an organization misuses their access to systems or data, intentionally or accidentally causing harm.
• Bitcoin: Bitcoin is a digital currency enabling direct online payments. Its anonymity makes it a common choice for ransom payments in cyberattacks.
• Laundering: Laundering is disguising illegally obtained money to make it appear legitimate, often using complex transactions or digital platforms.