Ransomware Recovery Firms Share in the Hacking Spoils
If your business or your local school district is hit with a ransomware attack, where hackers disable computer networks and demand money to restore them, you can turn to a nascent yet professionalized group of insurers, lawyers, and incident response firms that can help with response and recovery. Think of it like a pro football team.
Insurance carriers are the quarterbacks of the industry. They help clients reduce exposure to cybersecurity risks before an attack, and coordinate responses to get business assets back after attacks. Every quarterback needs a running back, which is where law firms enter the equation. Businesses and public-sector entities rely on legal counsel to engage in crisis management, ensuring compliance with breach notification requirements, coordinating with law enforcement, overseeing internal investigations, preserving evidence, and weighing in on ransom negotiations.
Incident response firms and ransomware negotiators are also part of the team. They serve as intermediaries between victims and threat actors to deliver the best possible outcome for their clients. Negotiators communicate directly with hackers, often gathering intelligence to facilitate data recovery and minimize ransom payouts. Given that ransomware attacks can severely disrupt an organization’s day-to-day operations, paying a negotiated ransom may prove more cost-effective than extended data recovery.
But a chain is only as strong as its weakest link. Many of the same incident response firms that provide ransomware negotiation services also process payments from victims to threat actors, almost always in the form of cryptocurrency. It’s a little like your star wideout playing for both teams at the same time.
Last month, two former incident response firm employees pleaded guilty to knowingly participating in a ransomware scheme targeting U.S. businesses. According to the Department of Justice, the defendants, Ryan Clifford Goldberg and Kevin Tyler Martin, colluded with cyber criminals to deploy a ransomware variant known as BlackCat and extort multiple companies from May 2023 to April 2025. Total losses from the scheme exceeded $9.5 million. Goldberg and Martin now face up to 20 years in prison. Their sentencing is scheduled for March.
“Goldberg and Martin used trusted access and technical skill to extort American victims and profit from digital coercion,” said U.S. Attorney for the Southern District of Florida Jason A. Reding Quiñones. “Their guilty pleas make clear that cybercriminals operating from within the United States will be found, prosecuted, and held to account.”
The primary goal of a ransomware negotiator is to minimize payouts, but the bigger the ransom, the more money an incident response firm can earn.
Goldberg previously worked for Sygnia, a global cybersecurity company. Martin worked as a ransomware negotiator for the Chicago-based incident response firm DigitalMint. The case rocked the ransomware response and recovery industry. In an interview with the Prospect, one industry insider who requested anonymity described the scheme as “the ultimate betrayal of trust.”
Martin was featured in DigitalMint’s employee spotlight just a few months before the Justice Department filed its criminal indictment. “We bridge the gap between good, hard-working people and bad actors to make sure clients get the best possible outcome,” he said at the time. DigitalMint also expressed gratitude for his “hard work, dedication, and ongoing commitment to ensuring our clients’ security and peace of mind.”
“The terminated employees charged or assumed to be charged in the indictment acted wholly outside the scope of their employment and without any authorization, knowledge, or involvement from the company,” a spokesperson for DigitalMint told the Prospect. “The alleged misconduct is a direct violation of our company’s ethical standards, and not representative of the company’s overall operations or values.”
The firm, which is not implicated in the criminal case and “remains in full cooperation” with law enforcement, started out as a crypto ATM company in 2014 before exiting the market a decade later. DigitalMint CEO Marc Grens seemed to have a moral epiphany about the illicit nature of the business, telling the Chicago-Sun Times: “The moral of the story is, if you do the right thing this industry wouldn’t exist.”
Today, DigitalMint provides ransomware negotiation and payment processing services. But some have criticized the firm’s practices.
“This company moved from grift to grift,” the insider said. “DigitalMint is a poster child for lawlessness.”
DigitalMint appears to have borne the brunt of the fallout from the criminal case against its former employees, including Martin and an unnamed co-conspirator. The insider claimed that DigitalMint has fallen out of the ransomware response and recovery industry’s good graces. “All of these different cogs in the [cybersecurity] machine have lost their confidence in DigitalMint,” they said.
INSIDER THREATS TYPICALLY EMERGE when a hacker gains access to breached credentials belonging to a business or public-sector entity, which makes the ransomware scheme involving DigitalMint’s former employees unique.
“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks—the very type of crime that they should have been working to stop,” said Assistant Attorney General A. Tysen Duva.
But it’s not the first time the call was coming from inside the house. As a 2019 ProPublica investigation revealed, some incident response firms have charged victims substantial fees on top of ransom payouts to hackers, sometimes facilitating payments without their clients’ consent. Those same firms employed negotiators who maintained direct relationships with hackers.
While it is not uncommon for incident response firms to provide both ransomware negotiation and payment processing services, business models with fixed-fee structures are few and far between. Incident response firms without fixed fees tend to be more prone to insider threats. Those firms charge payment processing fees based on the complexity of a transaction, so while revenues may not be tied to the size of a ransom, larger ransom payments can generate higher costs because they require more labor, controls, and compliance steps. Industry critics say this creates a structural misalignment between both sides of the business.
In other words, the primary goal of a ransomware negotiator is to minimize payouts, but the bigger the ransom, the more money an incident response firm can earn if it does not charge fixed fees. According to DigitalMint’s terms of service, “the fees for services rendered by DigitalMint will be as set forth in such applicable agreement.” In other words, fees are negotiated and set by contract, not predetermined, as is the case under a fixed-fee arrangement.
“We firmly reject the notion that our business model creates misaligned incentives,” the DigitalMint spokesperson told the Prospect. “We employ experts incentivized on successful client outcomes, such as data recovery and threat elimination, not on the size of a payment.”
“As a professional services firm, our pricing is consistent with industry standards for high-level incident response and forensic recovery,” the spokesperson said. “We do not publicly disclose the specific breakdown of our fee schedules for security and competitive reasons.”
DigitalMint also stated that “this is not an uncommon business model in the cyber incident response industry,” adding that firms like Coveware “perform the same services and are exposed to the same perceived risks.”
Coveware does perform the same services, but it charges what are known as “flat per incident fees,” which do not add up over time.
Since its founding in 2018, Coveware has distinguished itself as a member of the ransomware response and recovery industry. In addition to pushing for wider adoption of fixed-fee models, Coveware has an internal policy designed to dismantle the “connective tissue” between ransomware negotiators and cyber criminals. Per that policy, the firm does not accept clients who are referred to Coveware by threat actors.
“The bad guys would attack a company … and actually refer these victims” to incident response firms they had relationships with, Coveware CEO Bill Siegel told the Prospect.
He continued: “A lot of times, the clients would be like, ‘I can’t believe you’re turning me away. This feels very unfair.’ We agree it is unfair, but we can’t have a thread of connectivity … we cannot help you if you found out [about] us because a cyber criminal told you to come talk to us.”
In June 2022, Siegel testified before Congress at a Senate Committee on Homeland Security and Governmental Affairs hearing on the threats posed by crypto-enabled ransomware attacks. His testimony came three months after President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act, which requires critical infrastructure operators to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).
“Coveware has been vocal in our support for mandatory reporting for some time. Our hope is that reporting requirements will eventually be extended to all victims of ransomware, not just organizations under the oversight of CISA,” Siegel said at the time.
CISA has been without a Senate-confirmed permanent director since the start of the second Trump administration. As BankInfoSecurity’s Chris Riotta observed last month, “The prolonged vacancy has coincided with significant staffing cuts inside the agency, including the elimination of some mission areas. Senior personnel have departed in large numbers as political turbulence continues to shape internal operations.” In October 2025, President Trump effectively shuttered CISA’s Stakeholder Engagement Division, laying off nearly 100 employees whose purpose was to “coordinate critical infrastructure cybersecurity improvements with states and local governments, private businesses and foreign countries,” Cybersecurity Dive reported.
Despite this, Siegel pointed to the kidnap and ransom (K&R) solutions space as “an important corollary” to the ransomware response and recovery industry, in large part because “the structural setup between specialty firms, the end clients, insurance companies, is basically the same.” K&R has been around for decades, Siegel explained. The cyber extortion world’s existence in that space predates the ransomware response and recovery industry.
Taking a chapter from the K&R playbook could prove instructive.
“It’s always been interesting to see, as our industry develops, how there’s really no new issues,” Siegel said. “There’s issues that evolved in K&R that were worked out within K&R, but that industry is also very insular, and unless you sort of cross-pollinate the ideas, you’re sort of blind to some of the things that are transpiring [in ransomware and recovery].”
The post Ransomware Recovery Firms Share in the Hacking Spoils appeared first on The American Prospect.