Three former employees of cybersecurity incident response companies DigitalMint and Sygnia have been indicted for allegedly hacking the networks of five U.S. companies in BlackCat (ALPHV) ransomware attacks between May 2023 and November 2023.

28-year-old Kevin Tyler Martin of Roanoke, Texas (who pleaded not guilty), 33-year-old Ryan Clifford Goldberg of Watkinsville, Georgia (in federal custody since September 2023), and an unnamed accomplice face charges of conspiracy to interfere with interstate commerce by extortion, and intentional damage to protected computers.

If convicted, the defendants could face up to 20 years in prison for extortion and 10 years for damage to computer systems.

According to the Chicago Sun-Times, which first spotted the unsealed court documents, Martin worked at DigitalMint as a ransomware threat negotiator (just as the unnamed co-conspirator), while Goldberg is a former Sygnia incident response manager.

The Department of Justice claims the defendants operated as ALPHV BlackCat affiliates, gaining unauthorized access to the victims’ networks, stealing data, deploying encryption malware, and demanding cryptocurrency payments in exchange for decryption keys and promises not to leak the stolen information online.

Per the indictment, the group’s alleged victims include a Tampa medical device manufacturer, a Maryland pharmaceutical company, a California doctor’s office, a California engineering firm, and a Virginia drone manufacturer.

Prosecutors said the attackers have demanded ransoms ranging from $300,000 to $10 million. Still, they were only paid $1.27 million by the Tampa medical device company after they encrypted its servers and demanded $10 million in May 2023. Although other victims also received ransom demands, the indictment does not indicate whether additional payments were made.

As BleepingComputer previously reported, the Department of Justice was investigating a former DigitalMint ransomware negotiator for allegedly working with ransomware gangs to profit from extortion payment deals. The DOJ and the FBI declined to comment when contacted at the time for more information. It is unclear if this indictment is related to the DOJ’s previous investigation.

A 2019 ProPublica report revealed that some U.S. data recovery firms have also secretly paid ransomware gangs while charging clients for restoration services without disclosing these payments.

In a February 2024 joint advisory, the FBI, CISA, and the Department of Health and Human Services (HHS) warned that Blackcat ransomware affiliates were primarily targeting organizations in the U.S. healthcare sector.

The FBI has also linked BlackCat to over 60 breaches between November 2021 and March 2022 (the ransomware group’s first four months of activity) and said they raked in at least $300 million in ransoms from more than 1,000 victims until September 2023.