UK’s trusted IT infrastructure partner since 2003
Servnet
FinanceToolsConfiguratorGet in Touch
Cyber security

Ransomware Insider Threat: Backup Audits for 2026

London · Servnet News Desk · IT infrastructure analysis3 min read
Share

A former US ransomware negotiator has been jailed for feeding victim data to the very BlackCat (ALPHV) gang he was hired to fight — a case that should make every UK backup and disaster recovery team re-examine who really has visibility into their incident response chain, via ransomware protection planning.

Largest Known Victim Ransom Payments
$m30$m23$m15$m8$m0$m25.66Financial$m26.793NonprofitRansom Paid
View the data behind this chart
Largest Known Victim Ransom Payments
FinancialNonprofit
Ransom Paid$m25.66$m26.793

What the court documents show

Angelo Martino, 41, a former employee of US incident response firm DigitalMint, has been sentenced to 70 months in prison for his role in BlackCat ransomware attacks carried out between April 2023 and April 2025, according to BleepingComputer. Martino worked alongside two other former Sygnia and DigitalMint negotiators, Kevin Tyler Martin and Ryan Clifford Goldberg, who were each sentenced to four years in May after pleading guilty to conspiracy to obstruct commerce by extortion.

Rather than simply negotiating on behalf of victims, the trio operated as BlackCat affiliates — demanding ransoms, threatening to leak stolen data, and paying the BlackCat administrators a 20% cut of proceeds in exchange for access to the ransomware and extortion portal. Prosecutors said Martino went further still, sharing victims' confidential insurance policy limits and negotiation positions with BlackCat operators so they could extract the maximum possible payment while he was formally acting as their negotiator for five separate victims.

Why a negotiator can do more damage than a hacker

This case is not about a network being breached from outside — it is about the exact people trusted to reduce ransom demands instead engineering them upward. Martino and his co-conspirators' victims included a financial services firm that paid $25,660,000 and a nonprofit that paid $26,793,000, alongside school districts, medical facilities, law firms and other financial companies, per the court records cited by BleepingComputer.

For a UK IT leader, the lesson isn't just about vetting negotiators specifically — it's about recognising that anyone with privileged visibility into breach scope, cyber insurance limits, or recovery timelines can materially worsen an incident from the inside. That includes internal staff, managed service partners, and any third party engaged during a live managed detection and response engagement.

Where insider risk meets backup infrastructure

BlackCat itself is a serious threat on the numbers alone. The FBI has linked the gang to more than 60 breaches between November 2021 and March 2022, and estimated it collected at least $300 million in ransom payments from over 1,000 victims through September 2023, according to the FBI advisory referenced by BleepingComputer.

The insider angle matters most where backup and recovery data intersects with negotiation leverage. If someone with inside knowledge understands how quickly (or slowly) a victim can restore operations from backup, that knowledge becomes a pricing lever for the attacker. This is exactly why immutable, isolated recovery capability — not just fast recovery — needs to be treated as sensitive infrastructure, reviewed under the same zero trust principles applied to production systems.

Illustration: Ransomware Insider Threat: Backup Audits for 2026

An audit checklist for UK backup and DR teams

Servnet's view is that this case should trigger a practical, near-term review rather than a policy rewrite. UK buyers should treat it as a prompt to check specific gaps:

  • Confirm which internal staff and external partners can see backup topology, recovery point objectives, or cyber insurance limits, and whether that access is logged and time-limited
  • Review contracts with incident response and negotiation providers for termination-for-cause clauses, background-check requirements, and audit rights over individual staff conduct
  • Test whether backup and recovery systems remain fully isolated from the same identity and access layer as production, so a single compromised credential — internal or external — cannot touch both
  • Run a tabletop exercise assuming the attacker already has insider knowledge of your recovery capability, not just your perimeter defences
  • Feed any anomalous access to sensitive incident data into existing managed detection and response alerting rather than relying on trust alone

Recovery infrastructure has to assume the worst

Independent guidance from Everpure Blog on FlashArray backup best practices reinforces the same principle from the storage layer: immutable snapshots, SafeMode-style protections, and a proper 3-2-1 backup strategy are designed precisely so that recovery does not depend on any single person, internal or external, behaving honestly under pressure.

DigitalMint's chief executive, Jonathan Solomon, told BleepingComputer the firm "strongly condemn[s] these former employees' criminal behaviour, which violated our values, ethical standards, and the law," adding that both were terminated immediately once the conduct was discovered. That response is reasonable after the fact — but UK buyers should be asking their own cyber security and incident response partners what controls exist before the fact, and factoring the cost of that assurance into ongoing IT finance planning alongside broader resilience spend such as any pending VMware alternatives migration.

Share
Key takeaways
  • A former DigitalMint negotiator was sentenced to 70 months for feeding victim insurance limits and negotiation data to BlackCat operators
  • BlackCat is linked to 60+ breaches (Nov 2021–Mar 2022) and over $300 million in ransom payments from 1,000+ victims through September 2023
  • UK teams should audit who — internal or third party — can see backup recovery timelines and insurance limits during live incidents
  • Immutable, isolated backup infrastructure reduces the value of insider knowledge to attackers, regardless of who leaks it
Frequently asked

FAQs — Ransomware Insider Threat

What did the BlackCat negotiator actually do wrong?

According to court documents cited by BleepingComputer, Angelo Martino shared victims' confidential insurance policy limits and negotiation positions with BlackCat ransomware operators while formally acting as their negotiator, helping the gang extract maximum ransom payments.

How much has BlackCat collected in ransoms?

The FBI estimates BlackCat collected at least $300 million from more than 1,000 victims through September 2023, and linked the gang to over 60 breaches between November 2021 and March 2022.

How does this affect UK backup and DR planning?

It shows that insider knowledge of recovery capability and insurance limits can be used to inflate ransom demands, reinforcing the case for ransomware protection built on immutable, access-segregated backups rather than trust in any single individual.

Should UK firms vet incident response negotiators the same way?

Yes — organisations should confirm background-check, access-logging and termination clauses with any incident response or negotiation provider, and speak to a Servnet engineer about auditing existing third-party access.

Related

Turning this into a buying decision?

One conversation with an engineer who's specced this before. No sales script.

Talk to Servnet →

Talk to a UK specialist

Get expert advice or a no-obligation quote — servers, storage, networking, maintenance, finance and cloud. We reply the same working day.

or call 0800 987 4111