On April 30, 2026, two former incident response professionals were each sentenced to four years in federal prison in the Southern District of Florida. One had been an incident response manager at a well-known IR firm. The other had been a ransomware negotiator at a separate, equally well-known firm. Both pleaded guilty in December 2025 to conspiracy to obstruct commerce by extortion, alongside a third co-conspirator, also a former ransomware negotiator at the second firm, who is scheduled for sentencing on July 9, 2026.
Between May and November 2023, the three operated as BlackCat (ALPHV) affiliates. They paid the BlackCat operators a 20 percent cut in exchange for access to the platform and used it to attack U.S. companies in healthcare, pharmaceuticals, engineering, and defense manufacturing. In at least five of the cases involving the second firm, the firm was hired by victims to negotiate with the attackers. In several of those engagements, the third co-conspirator was assigned as the negotiator, meaning he was negotiating against himself on behalf of his employer’s clients while sitting on the attacker side of the table.
According to the Department of Justice, the conspirators extracted at least $1.27 million from one victim, with broader figures across the wider conspiracy reaching tens of millions. Both firms are not accused of any knowledge or involvement, and both terminated the employees once federal authorities surfaced the activity.
That is the news. The reason this story will stay in the LinkedIn feed for a week is not the sentencing. It is what the sentencing forces every security and risk leader to think about.
The trust architecture nobody talks about#
Most organizations have a thoughtful control model for software vendors. SOC 2 reports get reviewed. Pen test summaries get requested. Data flow diagrams get drawn. Sub-processor lists get tracked. The vendor risk team has a process, and the process is mostly defensible.
The same organizations have a much less rigorous control model for the firms they call during an incident.
Think about what an IR engagement actually looks like in practice. The phone rings at 2 a.m. A consultant who you have never personally worked with shows up on a Zoom bridge an hour later. Within six hours, that consultant has a domain admin equivalent in your environment, full access to your endpoint detection console, copies of your event logs, a list of your crown-jewel data stores, your cyber insurance policy limits, your board’s risk appetite, your CFO’s after-hours contact information, and the names of every executive who has touched a recent acquisition. By the second day, they have your forensic images, your malware samples, your environment topology, and a candid conversation with your CISO about what your detection program is actually missing.
That is an enormous amount of trust extended to a single individual at a single point in time, very often with no contractual control more sophisticated than the master services agreement signed two years prior. The MSA usually has standard confidentiality, indemnification, and liability clauses. It rarely has anything that resembles the access control, separation of duties, or monitoring regime that the same organization would demand of a privileged internal employee.
This is significant because the asymmetry is structural. Speed is the entire reason IR firms exist. The faster they can move, the better the outcome. Every minute spent verifying identity, scoping access, or applying least privilege during an active incident is a minute the adversary keeps moving. The IR engagement model is built on trust by necessity, not by oversight, and that trust has historically extended to anyone the firm puts on the engagement.
The sentencings make that asymmetry uncomfortable to ignore.
What actually happened, structurally#
Strip the personalities out of the story and the structural picture is clean.
Two firms hired qualified people. Both firms ran the kind of background checks that are standard in the industry. Both firms had ethics policies, internal training, and reasonable hiring practices. Neither firm has been accused of negligence by federal prosecutors. The compromise did not happen because the firms were sloppy. It happened because the IR engagement model gives individual responders deep, fast, low-friction access to victim environments, with the volume and pace of incident work making continuous granular oversight impractical.
That is the part of the story that does not change with better hiring. Better hiring lowers the probability of a bad actor making it through the front door. It does not change what a bad actor can do once they are on an engagement.
For ransomware negotiation specifically, the asymmetry is even sharper. A negotiator sees the victim’s insurance policy limits, internal authorization ceiling for ransom payments, decision-maker hierarchy, time pressure, and operational impact. That information is exactly the information an attacker needs to extract maximum value. In the indictment, that is the bridge that was crossed. Confidential negotiation context flowed in one direction. Affiliate-side ransom strategy flowed in the other. The same individual sat on both sides.
Why this is significant for the rest of us#
The temptation is to read this story as a problem for IR firms to solve. It is not. It is a problem for the organizations that hire them.
A few things change as a result of this case, or at least should.
The first is the realization that IR engagement risk is a third-party risk problem, and most third-party risk programs do not handle it well. Standard vendor questionnaires were not built to address the specific access pattern of an IR engagement. The contractual language in most MSAs was not drafted with insider compromise of the vendor in mind. The audit rights are usually weak, the access logging requirements are usually nonexistent, and the post-engagement attestation is usually limited to confidentiality.
The second is that insurance carriers are paying attention. The ransomware market has been quietly maturing for several years, with carriers requiring panels of approved IR firms and approved negotiators as a condition of coverage. After this case, expect that approval process to get more rigorous, more documented, and more conditional. Carriers do not like surprises, and a story like this is exactly the kind of surprise they will be trying to underwrite against for the next renewal cycle.
The third is that the conversation about separation of duties inside IR firms is going to become a conversation IR firms have with clients. Up until now, asking an IR firm whether the same individual could be both the technical lead and the ransom negotiator on an engagement has been a niche question. After this case, it is a reasonable question for any procurement or legal team to ask, and IR firms with good answers are going to win business they would not have won before.
What practitioners can actually do#
This is the part where a lot of writing on this story is going to default to “do better insider threat detection,” which is fine but not particularly actionable. The more useful question is what changes in how an organization onboards, scopes, and oversees an IR engagement.
A few specific moves are worth considering. Each of them is implementable today without buying anything.
In the MSA and engagement letter, require named individuals for any role with access to negotiation context, ransom decision-making, or financial information. Require notification within a defined window when a named individual changes. This does not slow down an active engagement. It just makes the personnel layer visible.
In engagement scoping, require a documented separation between the technical IR team and the negotiation team, including independent reporting lines within the firm. Ask whether the firm enforces this separation by policy or by practice. The answers tend to be different.
In access provisioning, treat IR engagement accounts the way the rest of the industry has finally started treating service accounts. Time-bound credentials. Just-in-time elevation where the platform supports it. Privileged session recording for any account with domain admin or equivalent. None of this is novel. It just rarely gets applied to consultants.
In monitoring, log and alert on IR engagement activity the same way you would log and alert on any other privileged access. If your EDR console allows you to scope a tenant or a workspace to a single consultant for the duration of the engagement, do that. If your SIEM allows you to tag and review activity from those accounts for 90 days post-engagement, do that. The window in which a compromised consultant could exfiltrate data does not close the moment the engagement ends.
In post-engagement closeout, require an attestation that all consultant accounts have been disabled, all VPN access has been revoked, all artifact transfers have been completed and verified, and any retained material has been catalogued. This is a normal vendor-offboarding control that many organizations skip on IR engagements because the engagement is messy and the team is exhausted. Skip it once and the access tail can run for months.
The bigger lesson#
The case is not a story about two individuals making bad decisions. They did, and they will spend four years in federal prison for it, but that is the legal story. The practitioner story is that the IR engagement model has been operating on a trust architecture that was built for a much smaller, much more relationship-driven industry, and that architecture has not kept up with what is now a multi-billion-dollar ransomware response market.
The defenders did not become the attackers because the people changed. They became the attackers because the controls did not evolve.
This is kind of a big deal because the entire IR market depends on speed, and speed depends on trust, and trust depends on controls that most organizations have not bothered to build because the vendor never demanded them and the regulator never asked for them. The regulators are about to start asking. The carriers are about to start demanding. Your next IR engagement is the one to apply the lesson on, not the one after that.
References#
- BleepingComputer coverage of the sentencings: https://www.bleepingcomputer.com/news/security/us-ransomware-negotiators-get-4-years-in-prison-over-blackcat-attacks/
- CyberScoop coverage of the sentencings: https://cyberscoop.com/incident-responders-ryan-goldberg-kevin-martin-sentenced-ransomware/
- DOJ background on the indictments and guilty pleas: https://www.govinfosecurity.com/2-cyber-pros-admit-to-being-blackcat-ransomware-affiliates-a-30415
- Dark Reading coverage of the third co-conspirator’s plea: https://www.darkreading.com/insider-threats/ransomware-negotiator-pleads-guilty-blackcat-scheme
