A Tampa-based medical device manufacturer fell victim to an ALPHV/BlackCat ransomware attack, orchestrated by insiders including a ransomware negotiator (Kevin Tyler Martin) and an incident response manager (Ryan Clifford Goldberg), who allegedly conspired with the ransomware group. The attack encrypted critical servers, halting operations and forcing the company to pay $1.27 million in cryptocurrency to regain access. The breach not only caused severe financial loss but also posed risks to patient safety and supply chain disruptions, given the company’s role in producing medical devices. The incident highlights the dual threat of insider collusion and ransomware-as-a-service (RaaS), where trusted security professionals exploited their positions to facilitate cyber extortion. While no explicit data exfiltration details were disclosed, the attack’s scale—targeting a healthcare-adjacent manufacturer—suggests potential downstream impacts on hospitals and patient care. The case is part of a broader conspiracy involving at least five U.S. companies, with law enforcement later dismantling ALPHV/BlackCat’s infrastructure in late 2023.
Source: https://www.helpnetsecurity.com/2025/11/04/ransomware-negotiator-alphv-blackcat-ransomware/
TPRM report: https://www.rankiteo.com/company/conmed-corporation
"id": "con3594035110425",
"linkid": "conmed-corporation",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'healthcare/medical devices',
'location': 'Tampa, Florida, USA',
'name': 'Tampa-based Medical Device Manufacturer',
'type': 'private company'},
{'location': 'Maryland, USA',
'name': 'Unnamed Company (Maryland)'},
{'location': 'California, USA',
'name': 'Unnamed Company (California)'},
{'location': 'Virginia, USA',
'name': 'Unnamed Company (Virginia)'},
{'industry': 'cybersecurity/incident response',
'name': 'Sygnia Cybersecurity Services',
'type': 'cybersecurity firm'},
{'industry': 'financial services/cryptocurrency',
'name': 'DigitalMint',
'type': 'cryptocurrency broker'}],
'attack_vector': ['human insider (conspirators)',
'ransomware-as-a-service (ALPHV/BlackCat)'],
'data_breach': {'data_encryption': True,
'data_exfiltration': ['likely (standard ALPHV/BlackCat '
'tactic)']},
'description': 'A ransomware negotiator (Kevin Tyler Martin) and an incident '
'response manager (Ryan Clifford Goldberg) were indicted in '
'Florida for allegedly conspiring with the ALPHV/BlackCat '
'ransomware group to deploy attacks against multiple US '
'companies, extorting nearly $1.3 million from one victim. A '
'third unnamed individual, also a ransomware negotiator at '
'DigitalMint, was involved. The attacks targeted at least five '
'organizations across Florida, Maryland, California, and '
'Virginia, including a Tampa-based medical device manufacturer '
"that paid ~$1.27M in ransom. The ALPHV/BlackCat group's leak "
'sites were later seized by law enforcement in late 2023, and '
'the group executed an exit scam after the Change Healthcare '
'attack.',
'impact': {'brand_reputation_impact': ['potential reputational damage to '
'victim organizations and involved '
'firms (Sygnia, DigitalMint)'],
'financial_loss': '$1.3M (extorted from one victim; total losses '
'across victims likely higher)',
'legal_liabilities': ['indictments for conspiracy, extortion, and '
'computer damage; potential civil lawsuits'],
'operational_impact': ['disruption of business operations due to '
'encrypted systems'],
'systems_affected': ['encrypted servers (e.g., Tampa-based medical '
'device manufacturer)']},
'initial_access_broker': {'data_sold_on_dark_web': ['likely (ALPHV/BlackCat '
'leak sites hosted '
'exfiltrated data)'],
'high_value_targets': ['medical device '
'manufacturers, companies in '
'Maryland/California/Virginia']},
'investigation_status': 'ongoing (indictments unsealed; third conspirator '
'unnamed)',
'lessons_learned': ['Insider threats can emerge from trusted roles (e.g., '
'incident responders, negotiators).',
'Ransomware-as-a-service models enable collusion between '
'affiliates and external actors.',
'Law enforcement disruption (e.g., leak site seizures) '
'can temporarily hinder but not always stop ransomware '
'groups.',
'Exit scams are a growing risk in RaaS ecosystems '
'post-disruption.'],
'motivation': ['financial gain', 'extortion'],
'post_incident_analysis': {'root_causes': ['Collusion between insiders '
'(Goldberg, Martin) and '
'ALPHV/BlackCat operators.',
'Lack of oversight for employees '
'with access to sensitive '
'negotiation/response processes.',
'Exploitation of RaaS model to '
'launder ransom payments via '
'DigitalMint.']},
'ransomware': {'data_encryption': True,
'data_exfiltration': ['likely (double extortion tactic)'],
'ransom_demanded': ['multimillion-dollar demands (e.g., $1.27M '
'paid by Tampa manufacturer)'],
'ransom_paid': '$1.27M (by Tampa-based medical device '
'manufacturer)',
'ransomware_strain': 'ALPHV/BlackCat'},
'recommendations': ['Enhance background checks and monitoring for employees '
'in high-risk roles (e.g., incident response, ransomware '
'negotiation).',
'Implement strict conflict-of-interest policies for '
'cybersecurity firms and negotiators.',
'Victims should report attacks to law enforcement to '
'enable coordinated takedowns.',
'Organizations should avoid paying ransoms to discourage '
'the RaaS economy.'],
'references': [{'source': 'U.S. Department of Justice (Southern District of '
'Florida)'},
{'source': 'Chicago Sun Times'}],
'regulatory_compliance': {'legal_actions': ['federal indictments for '
'conspiracy, extortion (18 U.S. '
'Code § 875), and computer damage '
'(18 U.S. Code § 1030)']},
'response': {'containment_measures': ['seizure of ALPHV/BlackCat leak sites '
'(late 2023)',
'offer of decryptor to victims'],
'law_enforcement_notified': True,
'third_party_assistance': ['law enforcement (FBI, DOJ)']},
'threat_actor': ['ALPHV/BlackCat ransomware group',
{'location': 'Watkinsville, Georgia',
'name': 'Ryan Clifford Goldberg',
'role': 'Incident Response Manager (Sygnia Cybersecurity '
'Services)'},
{'location': 'Roanoke, Texas',
'name': 'Kevin Tyler Martin',
'role': 'Ransomware Threat Negotiator (DigitalMint)'},
{'location': 'Land O’Lakes, Florida',
'name': 'Unnamed Individual',
'role': 'Ransomware Threat Negotiator (DigitalMint)'}],
'title': 'ALPHV/BlackCat Ransomware Conspiracy Involving Insider Threat '
'Actors',
'type': ['ransomware', 'insider threat', 'extortion', 'conspiracy']}