July 14, 2026
The Expert You’d Call in a Ransomware Attack Sees Everything. One Sold It to the Gang.
A DigitalMint negotiator fed five clients’ private numbers to the BlackCat ransomware gang, and those five paid more than $75 million. The…
By S6 Tech
5 min read
A DigitalMint negotiator fed five clients' private numbers to the BlackCat ransomware gang, and those five paid more than $75 million. The fix costs nothing and takes an afternoon.
The owner of a regional accounting firm found the ransom note on a Monday morning. Every client file on the network was locked. The attackers named a price with a lot of zeros.
She did what you are supposed to do. She found an incident response firm that same afternoon, signed the paperwork, and was handed a negotiator. He was calm. He had done this a hundred times, he said.
Over the next week she told him everything. What the firm could actually afford to pay. What her cyber insurance would cover. How many days of downtime before clients started walking. He needed the full picture, he explained, to talk the attackers down.
The price never came down. It drifted higher. The attackers seemed to know her exact ceiling, and exactly how hard they could push before she broke.
They knew because her negotiator was telling them.
What just happened
That scene is fictional. The scheme behind it is not.
A ransomware negotiator is the specialist a breached company hires to talk down the attackers' demand. To do the job, the negotiator has to learn your weakest numbers: what you can pay, what your insurance covers, how long you can survive with your systems down. That information is supposed to be leverage the negotiator uses against the attacker.
Angelo Martino used it the other way. Martino, 41, worked as a negotiator at DigitalMint, a firm companies bring in during a breach. Starting in 2023, prosecutors say he fed the operators of the BlackCat ransomware gang, also tracked as ALPHV, the confidential material his own clients handed him: their negotiating positions and their cyber insurance limits. The gang used it to squeeze each victim for the maximum. Martino took a cut.
Five companies hired him to lower their ransoms. CyberScoop reported those five paid a combined $75.3 million, some of it inflated by the exact information they trusted him to guard. He did not stop there. With a second DigitalMint negotiator and an incident response manager from another firm, he obtained a BlackCat affiliate account and deployed the ransomware directly against more US companies.
Last week a federal judge sentenced Martino to 70 months in prison, nearly six years. His two co-conspirators each drew four years in May.
Why your incident-response firm didn't protect you
Here is the part that should change how you think about a breach.
The firm was not the problem. DigitalMint is a legitimate, established company, and prosecutions like this stay rare precisely because the behavior is so far outside the norm. The problem is the access. During an incident you hand one person your softest information inside the first few hours, often to a firm you found that same afternoon. Trust in that person is a control you grant on purpose. It is not a fact you inherit by hiring professionals.
Rank what most owners assume protects them, from weakest to strongest.
The firm is real and well-reviewed. Martino's was. Reputation covers the company, not the individual assigned to your file, and not the day they decide to go bad.
You signed a contract and an NDA. A contract is a remedy after the harm, argued in a courtroom months later. It does nothing to stop someone leaking your ceiling in real time, while the ransom clock runs.
Your insurance carrier recommended them. Better, since a carrier's approved panel is vetted at the firm level. You still do not know the specific person handling your case, and you still decide in the moment how much to tell them.
The one thing that works is sequence. Vet the firm before the crisis, through more than one independent source, and decide in advance what you will and will not share on the first call. Then no stranger holds every piece of your leverage on the day you are least able to think clearly.
What you can actually do this week
Three actions. All free. All doable before Friday, without hiring anyone.
- Choose your incident-response firm now, from two independent sources. Free. One to two hours. Do not wait for the crisis to go looking. Get one name from your cyber insurance carrier's approved list and one from a trusted business peer or your IT provider, then check each against independent references or reviews. Save the number somewhere you can reach it even if your network is down. On the day you need it, you are confirming a decision, not gambling on a search result at 9pm.
- Write a one-page breach plan and name who makes the call. Free. About two hours. One page covers it: who decides to pull machines off the network, which firm you phone, where your offline backups live, and who has actually restored one. This is the newsletter's priority for next month. Draft it this week. A plan you have written beats a panic every time, and a plan you have never tested is a document, not a defense.
- Confirm your cyber insurance rules before you ever need to file. Free. Thirty minutes. Call your broker or read the policy. Many policies require you to use a responder from their panel, and hiring off-list can reduce or void your payout. Learn this now, so you do not pick the wrong firm in a panic and lose your coverage on top of your data.
The harder truth
The lesson is not that incident responders are dangerous. It is that a ransomware attack forces you to trust a stranger with everything, on your worst day, and the criminal economy is built to manufacture that day on a schedule.
Look at this week. 97 companies were named on ransomware leak sites across 27 active groups. Professional services led again with 11 named victims, the fourth straight week law firms, accountants, and consultancies have topped the list. Anubis posted three small medical practices inside a single 24-hour window, citing patient records in each. Qilin and The Gentlemen traded the top of the table at 19 and 18 victims. The profile underneath the names has not moved in a month: small firms holding valuable client files, running on one part-time IT contractor.
You are not caught in the blast radius of a campaign aimed at someone bigger. At your size, you are the campaign. The moment it lands is the moment you will be tempted to hand your insurance limit and your payment ceiling to whoever picks up the phone.
The negotiator case is a reminder that the trust decision is yours to make in advance, or to lose in the moment. Which one will it be when it is your Monday morning?
If this was useful
I write S6 Ransomware Signal, a free weekly newsletter for small and mid-size businesses without a dedicated security team. Every issue breaks down the week's most important ransomware campaigns, what the victim counts say about who is being targeted, and the fixes that change the math.
This week's issue also covers the CitrixBleed 2 flaw, where one unpatched network appliance gets broken into and the access resold to the next ransomware crew, plus the exact three-question email to send your IT provider today. It has the five-minute step to block the old login method attackers try first. And it digs into why Qilin just topped the leak-site table, and what four straight weeks of law-firm targeting means for anyone holding client files.
You can read it and subscribe at s6-ransomware-signal.beehiiv.com/subscribe.
The criminals rewrite the playbook every week. The person you would call when it works still has not been chosen. Choose them before the note shows up.