.webp)
Three Cybersecurity Pros Were Working for the Ransomware Gang They Were Hired to Stop
On April 21, 2026, the U.S. Department of Justice announced that Angelo Martino, a 41-year-old ransomware negotiator from Florida, pleaded guilty to conspiring with the BlackCat/ALPHV ransomware gang. Martino worked for DigitalMint, a cybersecurity incident response company. His job was to negotiate with attackers on behalf of ransomware victims.
Instead, he fed the attackers confidential information about his own clients - including their insurance policy limits and negotiation strategies - so the criminals could squeeze out the maximum possible ransom payment. He got paid by both sides.
It gets worse. Martino and two colleagues, Ryan Goldberg (a former incident response manager at cybersecurity firm Sygnia) and Kevin Martin (also from DigitalMint), went beyond leaking information. Between April and November 2023, all three actively deployed BlackCat ransomware against U.S. businesses themselves. They extorted at least $1.2 million in Bitcoin from a single victim. Authorities have seized $10 million in assets from Martino alone, including cryptocurrency, vehicles, a food truck, and a luxury fishing boat.
All three have now pleaded guilty. Martino faces up to 20 years in prison.
Why This Matters for Every Business That Outsources IT or Security
This case is not just a headline. It is a real example of what happens when vendor trust goes wrong. These were not random hackers. They were credentialed cybersecurity professionals employed at legitimate firms with real clients. They had inside access to sensitive data, negotiation playbooks, and incident response procedures.
If you are a business owner who relies on an outside IT company, managed service provider, or cybersecurity consultant, this should sharpen your thinking about how you evaluate those relationships.
The reality is that outsourcing IT and security is the right call for most small and midsize businesses. You cannot afford to build a full security operations center in-house. But the Martino case is a clear reminder: the vendor you trust with your network, your data, and your incident response plan needs to earn that trust through transparency, accountability, and verifiable practices.
How Insider Threats Actually Work
The term "insider threat" usually brings to mind a disgruntled employee. But the definition is broader than that. An insider threat is anyone with authorized access to your systems who uses that access in a way that harms the organization, whether intentionally or through negligence.
According to the Verizon 2025 Data Breach Investigations Report, internal actors were involved in roughly 1 in 5 breaches globally, and that number jumps to nearly 29% in some regions. The 2025 Ponemon Cost of Insider Threats Global Report found that the average annual cost of insider-related incidents hit $17.4 million per organization, up from $16.2 million in 2023.
For small businesses, the dollar figures are smaller, but the impact is proportionally larger. A single breach can mean weeks of downtime, lost clients, regulatory fines, and reputational damage that takes years to repair.
The Martino case adds a new dimension: your vendor's employees are insiders too. When you hand over admin credentials, network diagrams, and backup configurations to a third-party provider, their staff effectively becomes part of your threat surface.
The Three Types of Insider Threats
Malicious insiders are people who deliberately abuse their access for financial gain, revenge, or espionage. Martino, Goldberg, and Martin fall squarely in this category.
Negligent insiders cause breaches through carelessness: clicking phishing links, misconfiguring firewalls, leaving default passwords in place. This is the most common type, accounting for roughly 75% of insider incidents according to Ponemon research.
Compromised insiders are employees or contractors whose credentials have been stolen by an external attacker. The person did not intend harm, but their account is being used to move laterally through your network.
All three types apply to your vendors just as much as they apply to your own team.
A Practical Guide to Vetting IT Security Vendors
Whether you are evaluating a new managed IT services provider or auditing your current one, here is what to look at. These are not theoretical suggestions. They are the same things we would check if we were hiring someone to manage our own infrastructure.
1. Check for Industry Certifications and Compliance Standards
Start with the basics. A reputable IT security vendor should hold relevant certifications. SOC 2 Type II is the gold standard for service providers because it requires an independent auditor to verify that the company actually follows its own security controls over time, not just on paper.
Other certifications to look for include ISO 27001, CompTIA Security Trustmark, and any industry-specific compliance credentials relevant to your business (HIPAA for healthcare, FTC Safeguards Rule for auto dealerships and financial services).
Ask to see the actual audit report or certificate, not just a logo on their website. If they cannot produce it, that is a red flag.
2. Ask How They Handle Access Controls Internally
This is where the Martino case is most instructive. All three defendants had broad access to client data as part of their jobs. The question for any vendor is: what internal controls limit who sees what?
Specific things to ask:
- Do they use role-based access control (RBAC) so technicians only see what they need?
- Are admin credentials for your environment stored in a password vault with audit logging?
- Do they enforce multi-factor authentication for their own staff accessing client systems?
- How quickly do they revoke access when an employee leaves?
- Is there separation of duties between the team that manages your network and the team that handles billing or sales?
If your vendor cannot answer these questions clearly, they probably have not thought about them, and that is a problem.
3. Require Background Checks and Verify Them
This sounds obvious, but many smaller IT companies skip formal background checks on technicians. Ask your provider directly: do you run criminal background checks on every employee who will access our systems? How often do you re-screen?
In regulated industries like healthcare or financial services, this is often a compliance requirement. But even if your business is not in a regulated space, you deserve to know who has the keys to your network.
4. Demand Transparency in Incident Response
One of the most troubling aspects of the Martino case is that he was the person victims called when they got hit with ransomware. He controlled the narrative. He decided what information the victim saw and what stayed hidden.
When evaluating a vendor's cybersecurity services, ask how they handle incident response:
- Will you receive direct access to forensic reports, or only a summary?
- Do they use a third-party forensics firm for major incidents, or handle everything in-house?
- Can you bring in your own independent auditor during or after an incident?
- What is their communication timeline during a breach? Will they update you every hour, every four hours, or "when there is something to share"?
The best vendors welcome outside scrutiny because they have nothing to hide.
5. Review Their Contract for Liability and Accountability
Read the fine print. Many IT service agreements include broad liability limitations that protect the vendor even in cases of gross negligence. Look for:
- Indemnification clauses that hold the vendor responsible for breaches caused by their own employees
- Cyber insurance requirements (ask for proof of their E&O and cyber liability coverage)
- Clear data handling and confidentiality obligations
- Right-to-audit clauses that let you inspect their security practices
- Defined SLAs for incident response times
If a vendor pushes back on reasonable accountability terms, ask yourself why.
6. Check References and Reputation
Call their existing clients. Not the three references they hand you on a sheet of paper - those are always going to be positive. Search for the company on Google, Reddit, industry forums, and the Better Business Bureau. Look for patterns in complaints.
Also check whether the company has been involved in any security incidents themselves. A vendor that has been breached is not automatically disqualified, but how they handled it tells you a lot. Did they disclose it promptly? Did they take responsibility? Did they improve their practices afterward?
7. Evaluate Their Technology Stack
A legitimate managed security provider should be able to explain exactly what tools they use to protect your environment. At minimum, you should expect:
- Endpoint detection and response (EDR) on all managed devices
- A SIEM or managed SOC for log monitoring and alerting
- Automated patch management with defined timelines
- Encrypted backup solutions with tested recovery procedures
- Email security with anti-phishing protections
If they say "we use antivirus" and leave it at that, they are not equipped to handle modern threats.
Red Flags That Should Make You Pause
After working with businesses across multiple industries, we have seen some patterns that tend to signal trouble. None of these automatically means a vendor is malicious, but they do suggest a lack of maturity that increases your risk:
- No written security policies. If they cannot show you their own internal security policy, they are winging it.
- Resistance to audits or questions. A good vendor appreciates a client who takes security seriously.
- High employee turnover. Frequent staff changes mean more people have had access to your systems over time, and offboarding may not be consistent.
- Vague answers about their own security. "We take security very seriously" is not a security practice. Ask for specifics.
- No documentation of what they have access to. You should have a clear, up-to-date list of every system, credential, and permission your vendor holds.
- They discourage you from getting a second opinion. Any provider that pushes back on an independent security audit is not acting in your interest.
What to Do If You Already Have a Vendor
Most businesses reading this already have an IT provider in place. You do not necessarily need to switch vendors, but you should take a few steps to verify your current relationship is solid:
Conduct an access audit. Ask your vendor for a complete list of every account, credential, and remote access tool they use in your environment. Compare it to what you expected. You might be surprised.
Enable logging on everything. Make sure you have independent visibility into who is logging into your systems. Your vendor should not be the only one who can see the audit trail.
Test your backups. Do not just ask "are we backed up?" Run an actual restore test. Know how long it takes. Make sure the backup and recovery process works without your vendor's involvement, because if your vendor is the problem, you cannot rely on them to help you recover.
Schedule an annual third-party assessment. Even if you trust your vendor completely, an independent review catches things that familiarity misses. Think of it like getting a second opinion from a doctor. It is not about distrust. It is about thoroughness.
Review your contract. If it has been a few years since you signed, pull it out and read it with fresh eyes. Make sure it includes the accountability provisions listed above.
The Bigger Picture: Trust But Verify
The Martino case is extreme. Most IT and cybersecurity professionals are honest people doing hard work to protect their clients. But "most" is not "all," and even good companies can have employees who go rogue.
The lesson here is not to be paranoid. It is to be systematic. Build verification into your vendor relationships the same way you build it into your cybersecurity defenses. Multi-factor authentication works because it does not rely on a single point of trust. Your vendor management should follow the same principle.
If you are not sure where your current vendor relationship stands, or you want help running an independent assessment, Burgi Technologies is happy to help. We work with small and midsize businesses across Orange County and beyond, and we believe transparency is not optional - it is the foundation of every good IT partnership.
Frequently Asked Questions
What is an insider threat in cybersecurity?
An insider threat is any person with authorized access to an organization's systems or data who uses that access in a harmful way. This includes employees, contractors, and third-party vendors. The harm can be intentional (theft, sabotage, extortion) or unintentional (negligence, falling for phishing). Vendor employees count as insiders when they have access to your network and systems.
How common are insider threats for small businesses?
More common than most people realize. The Verizon 2025 DBIR found that internal actors were involved in roughly 1 in 5 breaches. Small businesses are actually more vulnerable because they tend to have fewer access controls, less monitoring, and tighter relationships with vendors where boundaries can blur.
What certifications should my IT security vendor have?
SOC 2 Type II is the most important because it verifies ongoing security practices through independent audit. ISO 27001 is valuable for companies with international operations. Industry-specific certifications matter too: look for HIPAA compliance expertise if you are in healthcare, or FTC Safeguards Rule knowledge if you are in automotive or financial services. Individual technician certifications like CISSP, CompTIA Security+, and Microsoft security credentials also add confidence.
Can I audit my IT vendor's security practices?
Yes, and you should. Include a right-to-audit clause in your service agreement. This gives you the contractual ability to review their security controls, either through your own team or a third-party assessor. A good vendor will not only agree to this but will proactively share audit results and security documentation.
What should I do if I suspect my IT vendor has been compromised?
First, do not tip them off until you have a plan. Contact an independent cybersecurity firm or managed security provider to conduct a quiet assessment. Change all credentials that the suspected vendor has access to. Review logs for unusual activity. If you find evidence of wrongdoing, contact law enforcement. The FBI's Internet Crime Complaint Center (IC3) at ic3.gov handles cybercrime reports.
