The Fixers Who Became the Problem: How Three Ransomware Negotiators Allegedly Deployed the Attacks They Were Paid to Stop

When a company gets hit by ransomware, the first call is usually to someone like Angelo Martino, Kevin Tyler Martin, or Ryan Clifford Goldberg. These are the professionals who know the threat actors, speak the language, have handled dozens of negotiations, and can — in theory — stand between a panicking executive team and a criminal gang holding the company’s data hostage.

Federal prosecutors say that for Martino, Martin, and Goldberg, the relationship with the criminal gang was considerably closer than their clients understood. All three have pleaded guilty. The core allegation is as simple as it is devastating: they were not just negotiating ransoms. They were deploying ransomware. And the intelligence they gathered in their role as trusted crisis advisors — how much the victim could afford, how long they could survive an outage, what their cyber insurance limits were — went straight to the attackers, who used it to price the ransom at maximum extraction.

CNN’s report on the case described it as “groundbreaking.” That’s one word for it. Another is: exactly what every CISO who has ever outsourced ransomware response should be losing sleep over.

What the three men are accused of doing

The scheme, as alleged, operated on a simple information asymmetry play. Ransomware negotiations are inherently opaque. The victim company doesn’t know what the attacker actually needs, and the attacker doesn’t know exactly how much the victim can pay. The negotiator’s entire value proposition is closing that information gap — toward the victim.

Martin, Goldberg, and Martino allegedly ran it the other direction. According to federal prosecutors, they actively deployed ransomware on victim systems — not just negotiated after the fact — and then positioned themselves on both sides of the transaction simultaneously. On the victim side: trusted crisis managers with full access to internal financials, board communications, and insurance documentation. On the attacker side: informants feeding real-time intelligence about negotiating position, payment ceiling, and business continuity pressure.

The result was predictable. Ransom demands were calibrated to extract maximum payment from victims who believed their negotiator was fighting for them. Martino, Martin, and Goldberg took a cut of the inflated outcome.

This is not a hypothetical failure mode. It happened, it was prosecuted, and all three men pleaded guilty.

Martino, Martin, Goldberg: roles and context

Angelo Martino is the subject of our earlier coverage of this case. His charges center specifically on his role in aiding BlackCat (ALPHV) ransomware attacks. BlackCat operated one of the most sophisticated ransomware-as-a-service platforms before the FBI seized its infrastructure in December 2023 — at its peak it was responsible for some of the most damaging healthcare and critical infrastructure incidents in recent years, including the Change Healthcare attack that disrupted prescription processing across the United States. Martino’s relationship with BlackCat made him, functionally, an undisclosed affiliate of the gang while presenting himself to victims as a neutral party negotiating against it.

Kevin Tyler Martin and Ryan Clifford Goldberg are co-defendants who have also pleaded guilty. Their specific roles within the scheme — which attacks, which victims, which deployment mechanisms — have not been fully detailed in public charging documents. What is documented is that all three participated in a coordinated scheme that involved both the deployment and the negotiation sides of the ransomware operation, and that all three extracted financial benefit from the inflated ransom outcomes.

The CNN investigation characterized the case as unprecedented: one of the first documented prosecutions in which incident response professionals are accused of being active participants in the attacks they were contracted to defend against, rather than merely negligent or conflicted.

Why this attack surface exists

The access a ransomware negotiator gets during an engagement is extraordinary. Think about what a victim company hands over in the first 48 hours of a ransomware crisis:

• Financial runway assessments: How long can the company operate in a degraded state? What does downtime cost per day? What are the cash reserves available for an emergency payment?
• Insurance policy details: What is the cyber insurance limit? What does the policy require in terms of notification, documentation, and law enforcement engagement before a claim can be paid?
• Board and executive communications: Who has decision-making authority? What is the internal risk tolerance? Are there regulatory or reputational constraints on paying?
• Technical environment: What systems are encrypted? What backups exist and are they intact? What is the realistic recovery timeline without paying?

Every one of those data points is directly useful to a ransomware gang trying to set an optimal demand. The gang that knows a victim has $5 million in cyber insurance coverage will not accept a $200,000 payment. The gang that knows the victim’s backup system was also encrypted and recovery will take 45 days will price for that operational pressure. The gang that knows board approval is needed for anything over $2 million will set the opening demand accordingly.

The negotiator — by design — is the person who assembles all of this information in one place. That is what makes a good negotiator valuable. It is also what makes a corrupt negotiator catastrophically dangerous.

The IR industry has no licensing board

If your lawyer betrays attorney-client privilege, they face disbarment. If your doctor breaches patient confidentiality, they face license revocation. If your ransomware negotiator leaks your crisis negotiating position to the criminal gang and takes a cut of the payment — there is no equivalent professional consequence beyond criminal prosecution.

The incident response and ransomware negotiation industry has no universal credentialing body, no ethics board, no mandatory disclosure requirements for conflicts of interest, and no standard audit process for practitioner relationships with threat actor networks. Certifications exist — CISA, CISSP, various vendor-specific credentials — but none of them address the specific question of whether a negotiator has operational relationships with the groups they claim to be negotiating against.

This is not a theoretical gap. Martin, Goldberg, and Martino operated within it for long enough to deploy ransomware, run negotiations, and collect payments before federal prosecutors assembled a case. The victim companies involved — their names have not been made public — had no mechanism to discover the conflict.

What cyber insurance carriers need to confront

Insurance carriers are the invisible backstop of the ransomware economy. They maintain approved vendor lists — pre-vetted IR firms that policyholders are routed to when they file a claim. The rationale is quality assurance: the carrier knows these vendors, trusts their methodology, and can control costs through established rates.

The Martin-Goldberg-Martino case puts a direct question to that model: how are approved vendors vetted for conflicts of interest with active threat actor networks? What is the audit process? What are the disclosure requirements? If an approved vendor has a financial relationship with a ransomware group — even an informal one — does the carrier’s current vetting process catch that?

The answer, almost certainly, is no. Background checks, financial due diligence, and technical competence reviews do not probe the specific question of whether a firm’s principals have operational ties to BlackCat, LockBit, Cl0p, or their successors. That vetting methodology needs to be developed now, because the prosecution of this case demonstrates both that the problem is real and that federal law enforcement can eventually detect it.

What companies should demand from IR firms going forward

The practical takeaway from this case is not “never hire a ransomware negotiator.” The practical takeaway is “hire with the same scrutiny you would apply to any fiduciary relationship — and then some.”

Specific questions worth putting to any IR firm before a crisis makes vetting impossible:

• Conflicts of interest policy: Does the firm have a documented, enforceable policy prohibiting financial relationships with ransomware operators or affiliates? Who is responsible for enforcing it?
• Case history and references: Can the firm provide documented outcomes from past negotiations, verifiable by former clients? What percentage of negotiations resulted in payment reduction versus full payment at initial demand?
• Personnel disclosure: Which individuals will have access to your internal financial and operational data? What is their background, and has it been independently verified?
• Communication protocols: How does the firm document the negotiation — and does that documentation go to you in real time, or only after the fact?
• Regulatory notification: Does the firm understand and comply with OFAC guidance on ransomware payments? Have they ever facilitated a payment to a sanctioned entity?

None of these questions would have been standard practice before this case. They should be standard practice now.

The broader signal

The Martin-Goldberg-Martino prosecution is a proof of concept for something the ransomware ecosystem has been moving toward for years: the monetization of the entire incident response pipeline, not just the attack and the ransom. Initial-access brokers sell entry points. Data brokers sell exfiltrated records. Negotiation brokers, apparently, can sell the victim’s own crisis intelligence.

This is not a reason to conclude that the IR industry is compromised. The vast majority of ransomware negotiators and incident response professionals operate with integrity. It is a reason to conclude that the conflict-of-interest risk is real, that self-regulation is insufficient, and that the clients most at risk — companies in crisis, with no time to vet and no leverage to demand transparency — are precisely the ones who will never know until it is too late.

Breached.Company covers cybercrime prosecutions, breach disclosures, and threat intelligence for the security community. Related coverage: Angelo Martino — Ransomware Negotiator Guilty Plea. For IR vendor vetting frameworks and tabletop exercises, CISO Marketplace connects organizations with vetted security advisors.

Sources: CNN investigation; WRAL; The Hacker News — Martino plea.