Three rogue cybersecurity professionals ran a covert ransomware operation aimed at extorting companies across the United States by encrypting their networks, prosecutors said.
The professionals are all Americans, although only two of them—Ryan Clifford Goldberg, a resident of Watkinsville, Georgia, and Kevin Tyler Martin, of Roanoke, Texas—have been named.
The targeted companies have not been identified by authorities, who described them only as firms in various industries based in California, Florida, Maryland, and Virginia.
‘Immediately’ Fired
DigitalMint, based in Chicago, said in a statement that a former employee had been indicted for participating in ransomware operations, adding that he was “acting completely outside the scope of his employment.”It added that the company had no knowledge of the alleged activity, and said the third unnamed co-conspirator, who court documents say is a resident of Land O'Lakes, Florida, “may have also been a company employee.”
DigitalMint “has been and continues to be a cooperating witness in the investigation and not an investigative target,” the company said.
Multinational Signia said it fired Goldberg “immediately upon learning of the situation,” adding that the company was not the target of the investigation and that it was co-operating with the investigation.

Critical Infrastructure Targeted
Ransomware attacks have become increasingly common in recent years and present serious challenges for targeted companies across virtually every industry.Malicious software, designed to wreak havoc with internal systems, can be unwittingly downloaded by simply opening an email attachment or clicking on a link.
Goldberg, Martin, and the unnamed suspect are accused of demanding $5 million from a California doctor’s office, targeting a pharmaceutical company in Maryland, attempting to extort $1 million from an engineering firm in California, and demanding $300,000 from a Virginia-based drone manufacturer.
The three co-defendants are accused of carrying out the conspiracy between May 2023 and April 2025, with the court document stating that most of the ransomware attacks the defendants are alleged to have committed used a similar structure.
Blackcat’s developers first recruited and vetted an affiliate, who would identify and attack victims using the ransomware, the court filing says.
The hackers then allegedly provided the affiliate with the ransomware through a password-protected “panel” available on the dark web, granting them access to the victim’s network to steal data and encrypt data, before leaving a ransom note.

Attempted Takedown
The U.S. Department of Justice and other agencies have tied Blackcat to more than 1,000 victims worldwide and described it as one of the most prolific ransomware groups prior to law‑enforcement disruption operations.In a December 2023 statement, the Justice Department said that over the previous 18 months, Blackcat had emerged as “the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world.”







