A padlock in the word ransomware
getty
Angelo Martino, a former employee of cybersecurity incident response company DigitalMint, recently pleaded guilty to charges related to ransomware attacks against American companies.
Ransomware is malware used by cybercriminals to encrypt and steal data from the computer networks of targeted companies and then demand a ransom payment in exchange for unlocking the data and agreeing not to publish the sensitive stolen data.
Ransomware attacks have been around since 1989, but the early ransomware attacks were relatively rare and the payments small. Ransomware attacks increased dramatically in the 2010s due to the creation of Bitcoin and other cryptocurrencies as well as the development of advanced encryption technology which made it more difficult to recover encrypted files. This led to such major disruptive ransomware attacks such as the WannaCry and NotPetya attacks in 2017 that caused tremendous worldwide disruption.
Beginning around 2012, but becoming more widely prevalent in 2017, the criminal business model for ransomware attacks dramatically changed. Where previously ransomware attacks were done by individual cybercriminal geniuses (the Lex Luthors of cybercrime) who developed the sophisticated ransomware malware, these criminal geniuses found that it actually was more profitable to provide Ransomware on Demand services to less sophisticated cybercriminals and share the proceeds of the attacks done by these less sophisticated cybercriminals referred to as “affiliates.”
The developers of the ransomware create toolkits to utilize the ransomware they create and offer it on the Dark Web, that part of the Internet where criminals buy and sell goods and services. Affiliates lease the use of the software in return for a split of the profits with generally between 20% and 40% of the profits going back to the developer. The developers also would provide tutorials and customer support to the affiliates and even negotiation services on behalf of the affiliates following a demand made after an executed ransomware attack with Bitcoin and Monero being the cryptocurrencies of choice for the ransom payments.
Using this business model the FBI said the BlackCat ransomware gang received more than $300 million in ransom payments from more than 1,000 victims worldwide as of September 2023.
Enter Angelo Martino who, along with two other co-conspirators, Kevin Tyler Martin and Ryan Goldberg , acted as affiliates of the ransomware gang BlackCat in attacks against ten targets in 2023 that included a financial services firm that paid a ransom of $25,660,000 and a nonprofit that paid a ransom of $26,793,000. The three co-conspirators, in turn, paid 20% of the ransom cryptocurrencies to BlackCat.
But Martino’s crimes did not stop there.
Generally, once a ransomware demand is made, it is common for negotiations to be done between the hacker and the victim. However, the victim rarely handles the negotiations directly but rather has them done by specialized companies such as Coveware, Sygnia and Martino’s employer, GuidePoint. These companies work in tandem with cyberinsurance companies who write insurance policies that will cover the costs of the ransom. Martino acted as a negotiator for five of his targeted victims and provided confidential information to the BlackCat negotiators including insurance policy limits enabling the BlackCat negotiators to obtain the maximum ransom.
According to U.S. Attorney Jason A. Reding Quinones, “Ransomware victims turned to this defendant for help, and he sold them out from the inside. As he admitted in court, he abused his position at a cyber incident response company to feed confidential information to BlackCat actors, helping them maximize ransom payments from American victims. He then went further, joining the conspiracy himself to deploy ransomware and profit from extortion.”
Kevin Tyler Martin and Ryan Goldberg each pleaded guilty and were sentenced to four years in prison. Angelo Martino is scheduled for sentencing on July 9, 2026.