It has been mentioned before that the US incident response company DigitalMint has a blackmail negotiator who collects benefits paid by hackers to help hackers extort victims who come to seek help. Two other colleagues of this negotiator were also tried in court for accepting bribes. These negotiators were even involved in deploying ransomware.
41-year-old Angelo Martino was a ransomware negotiator. His main job was to contact hacker gangs for ransom negotiations on behalf of clients (victims). The purpose of the negotiators should have been to help the clients lower the ransom price as much as possible to obtain greater benefits for the clients. However, these arrested negotiators did the opposite and helped the hackers ask for higher ransoms from the victims.
The hacker group that paid the ransom is the notorious Alphv/BlackCat. This hacker group mainly uses various methods to steal corporate confidential data and encrypt it, and then requires the victim company to pay a high ransom to obtain the decryption key. Some companies have no data backup and have to seek help from negotiation experts to contact the hackers to reduce the ransom payment.
Negotiation experts help hackers demand higher ransom:
Documents disclosed by the U.S. Department of Justice show that Martino and two of his colleagues negotiated with hackers on behalf of at least five victim companies, and all five companies paid consulting fees to DigitalMint (note: the consulting fees were to the negotiating company, and the ransom was to the hackers).
Among them: a hospitality company was forced to pay a ransom of $16.484 million, a nonprofit organization was forced to pay a ransom of $26.8 million, a financial services company was forced to pay a ransom of $25.6 million, a retail company was forced to pay a ransom of $6.1 million, and a healthcare company was forced to pay a ransom of $213,000.
The normal process should be that negotiators charge a consulting fee and then negotiate with hackers on behalf of the victim company to reduce the ransom. In the actual process, Martino and his co-conspirators leaked the victim company’s internal confidential information to the hackers, and the hackers demanded different ransom prices based on this confidential information.
This confidential information mainly includes the cyber insurance policy limit of the victim company and the details of ransom payment within the company. After the hacker obtains this information, he actually demands ransom according to the policy limit. For the victim company, these ransoms are eventually paid by the insurance company.
Of course, some policy limits may not be enough to cover the actual ransom demanded by the hackers. In this case, the hackers rely on negotiators to obtain the willingness and possible upper limit of the ransom payment within the enterprise, and then demand the ransom at the upper limit that the enterprise can tolerate.
What to do if there are no customers? Negotiators find targets to deploy ransomware:
What’s even more shocking is that Martino and his associates even proactively sought out customers, that is, these people became downstream distributors of BlackCat ransomware, charging consulting fees by deploying ransomware to target customers while also receiving a share of the ransom.
The U.S. Department of Justice stated in public documents that this small group launched attacks on multiple companies to deploy ransomware between April and November 2023. It actually successfully carried out five attacks and demanded more than $16 million in ransom.
Of course, not all victims are willing to pay the ransom. The U.S. Department of Justice only mentioned that one medical device company eventually paid the ransom in exchange for the key. This ransom made the small gang illegally profited US$1.274 million, but the U.S. Department of Justice did not announce whether the other four companies paid the ransom.
The company I work for has not discovered these tricks:
It is worth noting that DigitalMint failed to detect any illegal behavior by Martino and his associates, whether it was leaking customer information to help hackers demand higher ransoms, or directly participating in the deployment of ransomware. The company didn't learn about the incident until it was notified by the U.S. Department of Justice, by which time the ransomware negotiators had been arrested by law enforcement agencies. DigitalMint immediately fired the individuals and said it had no knowledge of the incident. Judging from the current investigation, DigitalMint is indeed unaware of and has not participated in these illegal actions. However, as an incident response company in the security field, such large internal loopholes really make people doubt the company's actual capabilities.
Finally, Martino and his accomplices will face court trial on April 30, 2026. According to relevant laws, Martino will face at least 10 years in prison, and the $10 million in seized assets is estimated to have to be paid for compensation.