# Two US Security Experts Sentenced to Prison for Assisting Ransomware Gang


Federal prosecution highlights growing threat of insider collaboration in organized cybercrime


Two experienced US cybersecurity professionals have been sentenced to federal prison for providing material assistance to a ransomware-as-a-service (RaaS) criminal enterprise, marking a significant moment in law enforcement's ongoing battle against organized cybercrime. Ryan Goldberg of Georgia and Kevin Martin of Texas were each sentenced to four years in federal prison for their roles in supporting the operations of a major ransomware gang.


The case underscores a troubling trend: skilled security professionals leveraging their technical expertise to facilitate criminal extortion campaigns that have cost organizations billions of dollars. Unlike traditional cybercriminals who operate from overseas, these defendants operated from within the United States, providing direct support to international ransomware operations.


## The Threat: Insider Collaboration in Ransomware Enterprises


Ransomware-as-a-service has emerged as one of the most profitable business models in cybercrime. Unlike traditional malware distribution networks, RaaS operates as a hierarchical criminal enterprise where different actors specialize in distinct roles: initial access brokers, malware developers, operators who execute attacks, and money launderers. This specialization mirrors legitimate software-as-a-service companies—except the "service" involves extorting millions from hospitals, municipalities, and corporations.


The involvement of skilled security professionals in these operations presents a particularly dangerous threat vector. Insiders with legitimate cybersecurity credentials possess advantages that overseas attackers cannot replicate:


  • Operational security knowledge to avoid detection methods and security monitoring
  • Understanding of enterprise networks and defensive architecture
  • Credibility to access sensitive systems or convince employees
  • Technical capacity to develop custom tools and exploit systems effectively
  • Ability to advise on victim vulnerabilities in real-time during attacks

    • ## Background and Context: The Rise of Ransomware-for-Hire


    Ransomware attacks have evolved from crude extortion attempts into a sophisticated criminal industry. Major RaaS platforms—including operations like Conti, LockBit, and BlackCat—have generated hundreds of millions in victim payments while maintaining operational security comparable to legitimate multinational corporations. These enterprises employ victim negotiators, payment processors, and public relations specialists.


    The professionalization of ransomware has created unprecedented demand for specialized expertise. Gang operators have increasingly recruited trusted insiders: IT administrators, penetration testers, incident responders, and security consultants who can provide:


  • Network reconnaissance and vulnerability assessment before attacks
  • Social engineering guidance based on corporate culture insights
  • Bypass techniques for specific security tools
  • Post-breach navigation to critical systems
  • Monitoring and evasion during active operations

    • The sentences of Goldberg and Martin represent the first major prosecutions under federal law for providing this category of criminal assistance, signaling the Department of Justice's determination to pursue insider threats in the ransomware ecosystem.


    ## Technical Details: How Insiders Support Ransomware Operations


    Security professionals recruited into ransomware enterprises typically provide one of several technical services:


    Initial Access Support

  • Analyzing corporate network architecture to identify entry points
  • Advising on social engineering targets and pretexting strategies
  • Recommending credentials or vulnerabilities to exploit
  • Evaluating security tool deployments and suggesting bypass methods

    • Operational Assistance

  • Monitoring attacks in real-time to identify detection risks
  • Providing guidance on lateral movement through networks
  • Helping attackers evade incident detection and response
  • Advising on data exfiltration techniques specific to the victim's infrastructure

    • Post-Attack Facilitation

  • Negotiation strategy based on understanding of victim organizations
  • Encryption key delivery and ransom payment facilitation
  • Destruction of forensic evidence
  • Coordinating with money laundering networks

    • The financial incentives are substantial. Ransomware gangs typically compensate insiders with percentages of victim payments—sometimes reaching 10-30% of total ransom demands. For victims paying in the millions, insider payments can exceed six figures per operation.


    ## Industry Implications: A Crisis of Trust


    The Goldberg and Martin convictions will reverberate through the cybersecurity consulting and managed services provider (MSP) industries. These sectors employ hundreds of thousands of security professionals with deep access to enterprise systems. While the vast majority operate with integrity, every insider represents a potential vulnerability.


    Key implications for organizations:


    | Risk Category | Impact | Mitigation |

    |---|---|---|

    | Insider threats | Technical expertise leveraged against clients | Enhanced background vetting, behavioral monitoring |

    | MSP security | Service providers become attack vectors | Third-party security assessments, privilege access controls |

    | Supply chain | Compromised consultants affect entire client bases | Network segmentation, client notification protocols |

    | Incident response | Attackers receive real-time defensive advice | Assumption of breach during investigations |

    | Forensics | Evidence destruction by knowledgeable insiders | Off-site backup protocols, immutable logging |


    For security vendors and consulting firms, the case highlights the risks of inadequate employee vetting, monitoring of suspicious activities, and ethics training. Professional organizations like (ISC)² and SANS have begun emphasizing ethical obligations and legal liability for consultants who cross the line into criminal assistance.


    ## Recommendations for Organizations


    Organizations seeking to prevent insider threats and reduce ransomware risk should implement multilayered defenses:


    Personnel Security

  • Conduct thorough background checks including financial history and criminal records
  • Screen for indications of financial distress among high-access employees
  • Implement ethics training emphasizing legal consequences of criminal collaboration
  • Establish confidential reporting channels for suspicions of misconduct

    • Access Controls

  • Apply principle of least privilege across all critical systems
  • Implement privileged access management (PAM) with real-time logging
  • Require multi-factor authentication for sensitive operations
  • Monitor for unusual after-hours access patterns or unusual data queries

    • Detection and Response

  • Maintain comprehensive audit logging of administrative activities
  • Implement behavioral analytics to identify unusual data access
  • Establish rapid incident response procedures for suspected insider threats
  • Coordinate with law enforcement when criminal activity is suspected

    • Vendor Management

  • Require security audits of third-party service providers
  • Limit MSP access through network segmentation
  • Establish separate credentials for third-party accounts
  • Monitor and log all third-party administrative access

    • ## Conclusion


    The imprisonment of Ryan Goldberg and Kevin Martin sends an unmistakable message: federal law enforcement is treating insider assistance to ransomware gangs as a serious federal crime with substantial prison sentences. As ransomware operations become more sophisticated and financially motivated, the threat of insider collaboration will intensify.


    Organizations must recognize that their greatest cybersecurity risk may not come from distant foreign attackers but from trusted employees and vendors with system access and technical knowledge. Comprehensive personnel vetting, access controls, behavioral monitoring, and incident response capabilities are no longer optional—they are essential safeguards against the insider threat that ransomware enterprises actively cultivate.


    The convictions represent a turning point in how law enforcement approaches cybercrime. The message is clear: assisting ransomware operations carries federal prison time and permanent damage to one's career and reputation. For security professionals, maintaining ethical standards isn't just right—it's essential to avoiding a federal prosecution.