When the Defenders Switch Sides: Two Security Pros Sentenced for Moonlighting With BlackCat

Two American cybersecurity practitioners — one a former incident response manager at a major consultancy, the other a ransomware negotiator at a well-known DFIR firm — were sentenced this week to four years in federal prison for orchestrating a string of BlackCat/ALPHV ransomware attacks against five US companies between May and November of 2023. The Department of Justice case is a clean, on-the-record example of the scenario every CISO whispers about and almost no insider risk program is actually built to catch: the responder turning extortionist.

The technical details are not exotic. The governance failure is the story.

What they actually did

According to the plea agreements, the two defendants used their professional access and tradecraft to obtain initial footholds at the victim organizations, deployed BlackCat ransomware payloads, exfiltrated data, and demanded ransoms ranging from roughly 300,000 to 10 million US dollars in cryptocurrency. At least one victim — a medical device company — paid approximately 1.27 million dollars. The defendants laundered the proceeds through mixers and converted portions to cash.

The targets were drawn from sectors the pair already understood from their day jobs: a drone manufacturer, a pharmaceutical firm, an engineering company, a medical device maker, and a doctor's office. Familiarity with the verticals meant familiarity with the tooling, the typical Active Directory layouts, the common backup architectures, and the executive personalities likely to authorize a quick payment to make the noise stop.

Neither defendant relied on novel malware. BlackCat was an off-the-shelf ransomware-as-a-service operation at the time. The edge they brought was procedural: they knew exactly how an incident response engagement looks from the inside, which controls a panicked victim is most likely to bypass in the first 24 hours, and how negotiators typically pressure-test ransom demands. They used that knowledge against organizations that had retained firms exactly like theirs.

Why this is harder to prevent than it looks

The instinctive reaction is "do better background checks." That is not what failed here. Both individuals had clean records and held legitimate roles at firms with mature hiring processes. What failed was the assumption that a credentialed responder, once inside an engagement, operates inside a controlled, monitored, and least-privilege envelope.

In practice, IR engagements are the highest-trust, lowest-friction work in the industry. A responder routinely receives:

• Domain Admin or equivalent in the victim environment, often within hours of arriving on scene
• Direct console access to EDR, SIEM, identity providers, and backup systems
• The legal cover of a signed engagement letter that authorizes destructive and forensic actions
• A culturally enforced "do not slow down the responder" posture from the victim's own staff

That posture is necessary to actually contain an active intrusion. It is also a near-perfect tradecraft school for anyone who later decides to attack the same kind of environment. The defendants in this case did not need to develop new capabilities. Their previous engagements were the training data.

What the industry should take from it

This is not a one-off. As the ransomware economy has matured, the supply of skilled operators has tightened, and the financial gap between an honest senior IR salary and a successful affiliate payout has widened. Expect more of these cases, not fewer. A few changes that move the needle:

• Compartmentalize sensitive engagement artifacts. Tooling output, exfiltrated data copies, ransom communications, and decryptors should live in case-specific enclaves with per-engagement access scoping and aggressive retention limits. The pattern of a former responder retaining a personal copy of a victim's environment map should be procedurally impossible, not just policy-prohibited.
• Treat IR firm employees as privileged insiders for the clients they serve. That means PIM-style just-in-time elevation into client tenants, hardware-backed MFA tied to the firm's identity provider, and per-engagement audit trails that the client — not just the firm — can review.
• Monitor egress from analyst workstations. Outbound traffic from a forensics workstation to a personal cloud account, an unmanaged device, or a tor exit node is a high-fidelity signal. It is also rarely instrumented at IR firms because the same workstations need broad outbound access to legitimate research infrastructure.
• Build a real off-boarding process. Both defendants left their employers before the attacks began. Revocation of access is well understood; revocation of knowledge is not. Plan for the assumption that a departing senior responder carries actionable intelligence about every client they touched.
• Vet your vendors with the same rigor you vet your own staff. Ask incident response and ransomware negotiation providers about insider risk controls, internal access reviews, and engagement-data retention. A serious provider will have crisp answers.

What victims should do now

If your organization engaged either of the firms involved during the relevant window — the indictment lays out the timeline — pull the engagement records, identify the personnel who had hands-on access to your environment, and re-baseline credentials, service principal secrets, and any machine accounts that were created or rotated during the engagement. Ransomware actors who once held legitimate access to your environment are an enduring threat even after the original incident is closed.

How Maverc operates

Maverc runs incident response and proactive security work for organizations across the defense industrial base, healthcare, and critical infrastructure. We treat our own access into client environments as the most sensitive privilege we hold. Engagement-scoped just-in-time access, hardware-backed authentication, per-client audit visibility, and aggressive artifact retention limits are baseline, not premium. If your IR retainer does not give you that level of transparency into how your responders operate inside your environment, that is a conversation worth having before the next call comes in at 2 a.m.