Photo by The Record / Recorded Future News on The Record
What happened
Federal prosecutors allege that an incident responder, Angelo Martino, participated in ransomware activity tied to ALPHV/BlackCat while also working negotiations for victims.
According to court documents cited by The Record, Martino:
- worked with two co-conspirators who already pleaded guilty,
- allegedly helped carry out at least 10 ransomware attacks,
- and shared confidential victim-side negotiation information with threat actors.
Why this is a big deal
This case cuts at the core trust model of ransomware response.
When responders and negotiators are compromised, victims may face:
- inflated ransom demands,
- weaker negotiating position,
- and increased exposure of sensitive internal information.
Prosecutors say the alleged collusion helped maximize payouts in multiple cases, including negotiations reportedly reaching $26M, $25M, $16M, and $6M.
Defensive takeaways for organizations
Treat incident-response procurement as a security control, not just a procurement checkbox:
- require auditable negotiation workflows and immutable logging,
- split duties across legal, IR, and executive decision makers,
- verify responder conflict-of-interest controls in contracts,
- and insist on documented chain-of-custody for all ransomware communications.
What to ask your IR provider now
- Do you maintain full transcript-level logs of every negotiation step?
- Who can access victim strategy notes, and how is access monitored?
- Are negotiators independently vetted and periodically re-screened?
- What controls detect or prevent side-channel contact with threat actors?
Bottom line
Ransomware response only works when the responder is trustworthy. This DOJ case is a reminder to harden not only infrastructure and backups, but also the human and process layer of breach response.