Ryuk Ransomware Member Pleads Guilty in U.S. Court
What happened
Karen Serobovich Vardanyan, a 34-year-old Armenian man, pleaded guilty in the United States to charges tied to hacking U.S. companies and deploying Ryuk ransomware. He had been arrested in Kyiv in April 2025 and later extradited to the United States after prosecutors accused him of providing initial access to corporate networks.
Court documents say Vardanyan helped illegally access multiple U.S. organizations between November 2019 and April 2020 and worked with co-conspirators to deploy Ryuk ransomware across compromised servers and workstations. In one cited case, a Michigan company paid 200 bitcoin, worth more than $1.1 million at the time. Prosecutors also referenced attacks on a technology company in Wilsonville, Oregon, and a school in Texas.
The U.S. Department of Justice said Vardanyan and his co-conspirators received roughly 1,610 bitcoin in ransom payments, valued at about $15 million at the time. Ryuk was active from 2018 until mid-2020 and became one of the most damaging ransomware operations of its era, hitting organizations across many sectors, including healthcare during the COVID-19 pandemic.
Vardanyan was indicted by a federal grand jury in Portland in February 2024 and is scheduled for sentencing in September 2026. He faces up to 15 years in prison across two charges, along with potential fines of $250,000 per charge. As part of his plea agreement, he agreed to pay more than $1.1 million in restitution.
Who is affected
The directly affected victims include U.S. organizations that were compromised and encrypted by Ryuk between 2019 and 2020, including a Michigan company, an Oregon technology company, and a Texas school identified in court filings.
The case is also relevant to organizations previously affected by Ryuk, Conti, and related ransomware groups because many operators, affiliates, and techniques from earlier ransomware crews later moved into newer cybercrime ecosystems.
Healthcare, education, technology, and other sectors remain exposed to similar ransomware tradecraft, especially where attackers can obtain initial access, move laterally, and deploy encryption across many systems at once.
Why CISOs should care
This case shows how ransomware operations depend on more than the final encryption payload. Initial access brokers, network intruders, affiliates, and operators all play roles in turning access into ransom payments.
For CISOs, the Ryuk timeline is a reminder that ransomware cases can remain legally active years after the incidents. Investigations, extraditions, indictments, guilty pleas, and restitution can continue long after a ransomware brand disappears.
The Ryuk-to-Conti connection also matters. Even when one ransomware operation shuts down, experienced operators often move into new groups, reuse tactics, or support successor ecosystems.
The broader lesson is that ransomware defense should focus on the full intrusion chain: preventing initial access, detecting lateral movement, limiting privileged access, protecting backups, and preparing for coordinated response before encryption begins.
3 practical actions
Strengthen controls against initial access: Ryuk attacks depended on illegal access to corporate networks before ransomware deployment. CISOs should prioritize phishing-resistant MFA, exposed-service hardening, credential monitoring, and rapid containment of suspicious logins.
Detect lateral movement before encryption: Security teams should alert on unusual administrative activity, remote execution, mass authentication attempts, privilege escalation, and suspicious access to many servers or workstations.
Prepare ransomware recovery and legal response: Organizations should maintain tested offline or immutable backups, define ransom decision workflows, preserve forensic evidence, and know when to involve law enforcement and external incident response support.
Cybersecurity in the news:


