Ransomware Negotiator Convicted of Aiding BlackCat: Third-Party IR Vendor Risk for SAMA Banks

Angelo Martino, a professional ransomware negotiator employed by cybersecurity firm DigitalMint, was sentenced to four years in federal prison on May 9, 2026 after pleading guilty to conspiring with ALPHV/BlackCat ransomware operators. While hired to defend victims, Martino secretly leaked insurance policy limits and negotiation strategies to the attackers — helping them extract $75.25 million across five engagements, including $25.66 million from a single U.S. financial services firm.

How a Trusted Negotiator Became the Threat

Ransomware negotiation has become a standard component of incident response (IR) for financial institutions worldwide. Banks retain third-party firms to communicate with threat actors, buy time for recovery, and minimize payout. The implicit trust placed in these vendors is enormous: they receive unredacted forensic reports, cyber insurance policy details, board communications, and real-time recovery status updates.

Martino exploited that trust systematically. Court filings reveal he provided BlackCat operators with each victim's maximum insurance coverage, their walk-away price, and internal deadlines — information that allowed the gang to calibrate demands for maximum extraction. In at least one case, Martino and two co-conspirators, Kevin Tyler Martin and Ryan Clifford Goldberg, deployed ransomware themselves against a target and then split the $1.2 million Bitcoin payment three ways.

The scheme went undetected for over a year because victims had no visibility into their negotiator's back-channel communications. No technical control — EDR, SIEM, or network monitoring — could catch a human insider leaking strategic intelligence over encrypted messaging apps outside the corporate perimeter.

Why This Case Matters for Saudi Financial Institutions

SAMA's Cyber Security Framework (CSCC) places explicit obligations on member institutions regarding third-party risk management. Domain 3 (Third Party Cybersecurity) requires banks to evaluate the cybersecurity posture of all service providers with access to sensitive data or critical systems. Incident response vendors, by definition, gain access to both.

Yet most SAMA-regulated banks treat IR retainer agreements as procurement exercises rather than high-risk vendor onboarding events. The typical due diligence stops at confirming certifications (ISO 27001, SOC 2) and checking references. None of these controls would have detected Martino's betrayal. The lesson is stark: certification does not equal trustworthiness at the individual operator level.

NCA's Essential Cybersecurity Controls (ECC) reinforce this through Subdomain 2-3 (Third-Party and Cloud Computing Cybersecurity), mandating that organizations ensure third-party providers comply with national cybersecurity requirements and that contractual agreements include provisions for data protection, audit rights, and incident notification. A corrupted IR negotiator violates every one of these provisions simultaneously.

The $75 Million Blind Spot in Vendor Due Diligence

Traditional vendor risk assessments focus on technical controls: encryption standards, access management, vulnerability scanning cadences. The Martino case exposes a category of risk that sits entirely outside these frameworks — strategic insider compromise within a trusted advisory relationship.

Consider what an IR vendor receives during a ransomware engagement: full forensic images of compromised systems, Active Directory topology maps, backup architecture documentation, cyber insurance policy details including coverage limits and deductibles, board-level communications about acceptable loss thresholds, and real-time status of recovery operations. A malicious insider with access to this intelligence can cause damage that dwarfs the original ransomware attack.

For SAMA-regulated institutions handling customer financial data protected under PDPL (Personal Data Protection Law), a compromised IR vendor creates a secondary data breach that may trigger additional regulatory notification obligations under Article 20 of the PDPL — irrespective of the original ransomware incident.

Practical Recommendations for SAMA-Regulated Banks

1. Mandate Background Checks on Individual Operators: Extend due diligence beyond the vendor entity. Require named personnel assignments for IR engagements and conduct independent background verification. SAMA CSCC Domain 3 supports this interpretation — the framework requires assurance that third-party personnel meet security requirements.
2. Implement Communication Channel Oversight: Contractually require that all communications between your IR vendor and threat actors occur through monitored, auditable channels. Prohibit the use of personal devices or unmonitored encrypted messaging platforms during active engagements.
3. Establish Dual-Vendor IR Retainers: Retain two independent IR firms. Use one for technical forensics and a separate firm for negotiation. This separation of duties prevents any single vendor from possessing both the technical intelligence and the negotiation authority needed to replicate the Martino scheme.
4. Require Real-Time Audit Rights: Amend IR retainer contracts to include real-time audit rights during active engagements, consistent with NCA ECC Subdomain 2-3 requirements. Your internal CISO or designated security officer should have visibility into all negotiation transcripts within 24 hours.
5. Conduct Post-Incident Vendor Reviews: After every IR engagement, perform an independent review of the vendor's actions, communications, and outcomes. Compare the negotiation trajectory against industry benchmarks for similar threat actors. Anomalous concession patterns or unusually high settlement amounts warrant investigation.
6. Include IR Vendors in Tabletop Exercises: Run annual tabletop exercises that specifically test the integrity of the IR vendor relationship. Simulate scenarios where the vendor provides contradictory advice or where leaked intelligence appears in threat actor communications.

Regulatory Alignment: Turning Incident into Compliance Improvement

Banks that proactively address IR vendor risk position themselves favorably for SAMA examination cycles. Examiners increasingly scrutinize third-party management programs, and the ability to demonstrate awareness of emerging risks — like insider compromise within advisory firms — signals mature cybersecurity governance.

Organizations should map these controls to specific SAMA CSCC domains: Domain 3 (Third Party Cybersecurity) for vendor assessment and monitoring, Domain 2 (Cyber Security Risk Management and Compliance) for integrating IR vendor risk into the enterprise risk register, and Domain 4 (Cyber Security Operations and Technology) for technical controls around communication monitoring during incidents.

PCI-DSS v4.0.1 Requirement 12.8 further mandates that service providers with access to cardholder data environments are monitored for compliance throughout the relationship — not just at onboarding. An IR vendor examining a compromised payment processing system falls squarely within this scope.

Conclusion

The conviction of Angelo Martino is not an isolated anomaly — it is a warning signal that the incident response vendor ecosystem carries risks that traditional due diligence frameworks were never designed to catch. For SAMA-regulated financial institutions, the response must go beyond policy updates. It requires structural changes to how IR vendors are selected, monitored, and held accountable during the most vulnerable moments of a cybersecurity crisis.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that includes third-party vendor risk evaluation for your incident response supply chain.