Two American cybersecurity professionals were sentenced on April 30, 2026, to four years each in prison for their role in a conspiracy to obstruct, delay, or affect commerce through extortion in connection with ransomware attacks in 2023.
According to court documents, they and another co-conspirator deployed the ransomware known as ALPHV BlackCat between April and December 2023 against multiple victims across the United States. The three men agreed to pay ALPHV BlackCat administrators a 20 percent share of any ransoms received in exchange for access to the ransomware and its extortion platform. All three worked in the cybersecurity industry, meaning they had specialized skills in securing computer systems against the type of harm they carried out in this case.
After extorting approximately $1.2 million in Bitcoin from one victim, the group split their 80 percent share of the ransom and laundered the funds through various means.
Court documents indicate that ALPHV BlackCat targeted the computer networks of more than 1,000 victims worldwide. The group operated a ransomware-as-a-service model in which developers created and maintained the ransomware and supporting infrastructure, while affiliates identified and attacked victim organizations. Ransom payments were then shared between developers and affiliates.
According to the Justice Department’s Criminal Division, the attacks affected organizations providing medical and engineering services, including a case involving the leak of patient data from a medical practice.
In addition to participating in ransomware attacks, the third defendant also abused his role as a negotiator for victims by sharing confidential information with threat actors to increase ransom demands. His sentencing is scheduled for July 9.
In a separate case, a Latvian national was sentenced on May 4, 2026, to 102 months in prison for his role in a Russian ransomware organization responsible for theft and extortion involving more than 54 companies. According to court documents, the defendant, based in Moscow, was affiliated with a group linked to former members of the Conti ransomware operation. The organization used multiple names in ransom notes, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira. Between approximately June 2021 and August 2023, the group stole data from more than 54 companies, including many in the United States.
The defendant’s role focused on increasing pressure on victims who did not immediately pay ransom demands. He analyzed stolen data, researched victim organizations, and used access to sensitive and personal information to intensify extortion efforts.
In one attack on a pediatric healthcare company, he used children’s health information to pressure the victim. When ransom efforts failed, he encouraged co-conspirators to leak or sell the data to increase fear among future victims. He later distributed a large set of sensitive data to hundreds of patients rather than sending individualized disclosures.
Of the more than 54 companies affected, 13 reported losses totaling over $56 million, including approximately $2.8 million in ransom payments. This estimate excludes an additional 41 victim companies that collectively paid about $13 million but have not provided detailed loss statements. Due to the underreporting of ransomware incidents, total losses remain uncertain. Based on available data, the government estimates that overall losses during the defendant’s period of involvement likely reached hundreds of millions of dollars.
Compliance Perspective
Issue
Ransomware continues to present a significant risk to organizations that maintain sensitive electronic information. Attackers often exploit system vulnerabilities, access controls, and human factors to gain entry, exfiltrate data, and disrupt operations. The increasing use of ransomware-as-a-service models has lowered the barrier to entry for threat actors, contributing to the frequency and scale of attacks. Organizations that maintain protected health information and other sensitive data remain particularly vulnerable due to the value and critical nature of their systems.
Discussion Points
- Review policies and procedures related to cybersecurity, data protection, and incident response. Ensure they address prevention, detection, and response to unauthorized access, ransomware, and data exfiltration. Policies should clearly define roles, responsibilities, and reporting and response procedures for security incidents. Periodic review with a qualified compliance consultant can help identify gaps, incorporate current threat information, and strengthen overall preparedness.
- Provide education and training to staff on cybersecurity awareness, including recognizing phishing attempts, safeguarding login credentials, and properly handling sensitive information. Training should also address how to detect and report potential security incidents. Med-Net Academy offers the course Understanding and Preventing Ransomware Attacks and Other Cyber Assaults, which explains how ransomware operates, outlines the consequences of an attack, and highlights the risks associated with advanced persistent threats and zero-day exploits in healthcare. The course includes case studies and practical steps staff can take to protect systems and reduce the risk of infection. Ongoing education should be provided at onboarding and reinforced regularly to address evolving threats.
- Conduct routine audits to assess adherence to cybersecurity policies and the effectiveness of existing safeguards. Audits should include review of access controls, system updates, and staff compliance with established procedures. Independent or consultant-supported assessments, including mock reviews or targeted evaluations, can provide additional insight into potential vulnerabilities and support timely corrective action. Contact Med-Net Healthcare Consulting or info@mednetconcepts.com for more information.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*