Former Ransomware Negotiator Pleads Guilty to BlackCat Attacks

/MEDIUM
Written by SCW Research Research & Analysis
SCW threat-inteldata-breachmalwareransomware
Former Ransomware Negotiator Pleads Guilty to BlackCat Attacks

Angelo Martino, a former employee of cybersecurity incident response company DigitalMint, has pleaded guilty to his involvement in BlackCat (ALPHV) ransomware attacks targeting U.S. companies in 2023. BleepingComputer reports that Martino, 41, leveraged his insider knowledge from the incident response world to facilitate these attacks.

This case is a stark reminder of the insider threat, especially from individuals with deep understanding of defensive playbooks and incident response strategies. Attackers don’t just operate from dark corners; sometimes, they’ve sat on the other side of the table. Martino’s actions underscore the critical need for robust vetting and continuous monitoring, even for trusted security professionals. The attacker’s calculus here was clear: exploit intimate knowledge of victim operations and response mechanisms to maximize impact and extortion potential.

For defenders, this means re-evaluating trust models, particularly around third-party vendors and former employees with privileged access or sensitive knowledge. The damage isn’t just financial; it erodes trust in the security ecosystem itself. This isn’t just about patching systems; it’s about patching people and processes.

What This Means For You

  • If your organization engages with third-party incident response firms or has former employees with deep security knowledge, review your insider threat detection capabilities. Audit access logs for any suspicious activity from past and present security personnel, and ensure offboarding processes revoke all credentials and sensitive data access immediately. This isn't a theoretical threat; it's a demonstrated risk from within our own ranks.

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1078.004 Defense Evasion

BlackCat Ransomware Activity - Insider Facilitation

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Written by SCW Research

Take action on this incident
📡 Monitor digitalmint.com Add to watchlist · alerts on new breaches 🔍 Threat intel on DigitalMint All breaches, IOCs & vendor exposure

Related Posts

Progress Patches Critical Flaws in MOVEit WAF, LoadMaster

Progress has issued patches addressing multiple critical vulnerabilities in its MOVEit Transfer Web Application Firewall (WAF) and LoadMaster products. According to SecurityWeek, these flaws include...

threat-intelvulnerability
/SCW Vulnerability Desk /HIGH /⚑ 5 IOCs /⚙ 1 Sigma

Identity Attacks Dominate: No Exploit Needed for Breach

The cybersecurity industry's focus on sophisticated threats like zero-days and supply chain compromises often overshadows a persistent reality: stolen credentials remain the most reliable entry...

threat-intelvulnerabilitydata-breachidentity
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs

CISA Warns: Exploited Cisco, Kentico, Zimbra Flaws Demand Immediate Action

CISA has expanded its Known Exploited Vulnerabilities (KEV) catalog with eight new flaws, underscoring a critical threat landscape. According to SecurityWeek, five of these vulnerabilities...

threat-intelvulnerabilitycloud
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 3 Sigma