The Department of Justice accuses US ransomware negotiators of launching their own ransomware attacks

US prosecutors have charged two rogue employees at a cybersecurity firm that specializes in negotiating ransom payments to hackers on behalf of their victims of carrying out ransomware attacks of their own.

Last month, the Justice Department charged Kevin Tyler Martin and another unnamed employee, both of whom served as ransomware negotiators at DigitalMint, with three counts of computer hacking and extortion related to a series of attempted ransomware attacks against at least five U.S.-based companies.

Prosecutors also charged a third person, Ryan Clifford Goldberg, a former incident response director at cybersecurity giant Sygnia, as part of the scheme.

The three are accused of hacking into companies, stealing their sensitive data, and spreading ransomware developed by the ALPHV/BlackCat group.

The ALPHV/BlackCat gang operates as a ransomware-as-a-service model, with the gang developing file-encrypting malware used to steal and encrypt victims’ data, while its affiliates – like the three accused individuals – carry out the hacks and deploy the gang’s ransomware. The gang then takes a cut of the profits made from any ransom payments.

According to an FBI affidavit filed in September, rogue employees received more than $1.2 million in ransom payments from one of the victims, a Florida medical device maker. They also targeted several other companies, including a Virginia-based drone manufacturer and a Maryland-based pharmaceutical company.

The Chicago Sun-Times was the first to publish the indictment on Sunday.

Sygnia CEO Jay Segal confirmed to TechCrunch that Goldberg was a Sygnia employee and was fired after Sygnia learned of his alleged involvement in the ransomware attacks. The company declined to comment further, citing the ongoing FBI investigation.

DigitalMint President Mark Grenz told TechCrunch that Martin was an employee at the time of the alleged hacks, but said Martin was “acting completely outside the scope of his job.”

Grenz also confirmed that the unnamed person may be a former employee. DigitalMint is also cooperating with the government’s investigation, Grenz said.