The People You Hired to Protect You Were the Hackers

Your Incident Responder Was the Attacker

This is not a hypothetical scenario from a cybersecurity training exercise. It actually happened.

Ryan Goldberg worked as an incident responder at Sygnia, one of the most respected cybersecurity consulting firms in the industry. His job was to help companies recover from breaches. Kevin Martin worked as a ransomware negotiator at DigitalMint, a company that helps victims navigate ransom payments. His job was to minimize the damage when companies got hit.

Between April and December 2023, both men were simultaneously moonlighting as ALPHV/BlackCat ransomware affiliates — using the same skills, knowledge, and insider understanding of victim defenses to attack U.S. businesses, with a particular focus on healthcare.

According to the Department of Justice, Goldberg and Martin used their professional expertise to:

• Identify and exploit vulnerabilities in target organizations
• Deploy ALPHV/BlackCat ransomware to encrypt systems and steal data
• Extort victims under threat of publishing stolen data on the ALPHV leak site
• Kick back 20% of ransom payments to ALPHV administrators

One victim — a Florida medical device company — paid $1.2 million. Patient photographs stolen from a California doctor’s office were published on the ALPHV dark web leak site.

When the FBI came knocking, Goldberg and his wife purchased one-way tickets to Paris just 10 days later.

Why This Should Terrify Every Business Owner

The cybersecurity industry operates on trust. When your network is breached, you call in experts who get unfettered access to your most sensitive systems, data, and credentials. You give them the keys to the kingdom because you have to — they can’t fix what they can’t see.

Goldberg and Martin weaponized that trust. They knew exactly how companies defend themselves because they were the ones building those defenses for other clients. They knew which security tools to evade, which alerts to avoid triggering, and which data was most valuable to steal.

The FBI’s warning in its press release was blunt:

The Bigger Picture: Ransomware Is Now an Identity Problem

The Goldberg/Martin case isn’t just about two bad actors. It’s a symptom of a fundamental shift in how ransomware works.

Cloudflare’s inaugural 2026 Threat Report, released March 3, analyzed data from handling 20% of global web traffic and blocking 230 billion threats daily. The headline finding: ransomware has shifted from a malware problem to an identity problem.

Attackers aren’t breaking down the door anymore. They’re logging in with your credentials. Infostealers like LummaC2 now extract live session tokens that bypass MFA entirely. The Cloudflare report found that 43–46% of emails fail SPF, DKIM, or DMARC validation, and North Korean operatives are using AI-generated deepfake profiles to infiltrate corporate payrolls.

When the people attacking you have legitimate credentials — whether stolen by malware or handed to them because they’re your incident responder — traditional perimeter security is meaningless.

Healthcare Is in the Crosshairs

Three of Goldberg and Martin’s five known victims were healthcare organizations. This isn’t a coincidence. Healthcare is the most targeted sector for ransomware, and the consequences are uniquely severe.

The same week these guilty pleas were accepted, the TriZetto/Cognizant breach was confirmed — exposing 3.4 million patient records through a supply chain attack on a claims processing vendor used by 875,000 healthcare providers. The attackers had 13 months of undetected access before anyone noticed.

Meanwhile, the 2026 HIPAA Security Rule overhaul is eliminating the distinction between “required” and “addressable” safeguards. MFA is now mandatory. Encryption at rest and in transit is now mandatory. Business associates must notify covered entities within 72 hours of a breach. Organizations that have been checking the “addressable” box and skipping controls are now non-compliant.

The Insider Threat You’re Not Monitoring For

Most organizations think of insider threats as disgruntled employees stealing data on their way out. The Goldberg/Martin case reveals a far more dangerous variant: trusted external advisors with privileged access who are actively working for the other side.

Consider who has elevated access to your systems right now:

• IT consultants and MSPs with domain admin credentials
• Incident response firms with forensic access to your endpoints and logs
• Software vendors with API keys, database access, or remote support tools
• Cloud service providers with infrastructure-level access
• Compliance auditors with access to your security architecture documentation

Any one of these relationships could be exploited. Not because the organization is malicious, but because a single employee within that organization might be. Goldberg’s employer, Sygnia, is a legitimate and well-regarded firm. The problem wasn’t the company — it was the individual.

What You Should Do Right Now

1. Audit Third-Party Access

Know exactly who has access to your systems, what level of access they have, and whether that access is still needed. Remove standing privileges for vendors and consultants. Use just-in-time access that expires after a defined period.

2. Monitor Privileged Accounts — Especially External Ones

If a consultant account is accessing files at 2 AM, logging in from an unusual location, or downloading large volumes of data, you need to know immediately. Not in a weekly report. Not in next month’s audit. In real time.

3. Implement the Principle of Least Privilege

Incident responders don’t need domain admin. Your MSP doesn’t need access to every server. Scope access to only what’s required for the specific engagement, and revoke it when the engagement ends.

4. Require Background Checks for Security Vendors

If you’re hiring a firm to handle your incident response or penetration testing, ask about their employee screening process. Do they run background checks? Do they have insider threat programs? How do they monitor their own staff’s access to client environments?

5. Deploy Behavioral Detection

Credential-based attacks look normal to rule-based security tools — the attacker is using a valid username and password. The only way to catch them is by detecting behavioral anomalies: unusual access patterns, geographic impossibilities, abnormal data movement, and privilege escalation that doesn’t match the user’s role.

6. Don’t Rely on a Single Layer of Defense

The Cloudflare report confirms that 54% of ransomware starts with stolen credentials. MFA helps, but infostealers can now bypass it by stealing session tokens. You need defense in depth: credential monitoring, behavioral analytics, network segmentation, and 24/7 monitoring working together.

Why MDR Catches What Others Miss

An MDR service doesn’t just watch for malware. It watches for behavior. When a consultant account that normally operates during business hours suddenly starts accessing sensitive databases at midnight, MDR catches it. When a vendor account downloads 10x more data than its historical baseline, MDR catches it. When credentials are used from two geographic locations simultaneously, MDR catches it.

Goldberg and Martin had the skills to evade traditional security tools. What they couldn’t evade is the fact that their behavior — accessing systems they had no reason to access, exfiltrating data to infrastructure they controlled — was fundamentally different from legitimate activity. Behavioral detection catches what credentials-based trust cannot.

Conclusion

The Goldberg/Martin case, the TriZetto breach, and the Cloudflare threat report all point to the same reality: the most dangerous attacks in 2026 don’t look like attacks at all. They look like legitimate logins from trusted accounts. They use valid credentials. They come from people and systems you’ve explicitly authorized.

The only defense is continuous, behavioral monitoring that treats every access event — internal and external, employee and vendor, routine and anomalous — as something worth watching.

Your antivirus won’t catch your incident responder moonlighting for a ransomware gang. 24/7 behavioral monitoring will.