After years on the run, alleged Ryuk ransomware operator pleads guilty

Filip TRUȚĂ

July 13, 2026

After years on the run, alleged Ryuk ransomware operator pleads guilty

A suspected member of the notorious Ryuk ransomware operation has pleaded guilty in a US federal court after being extradited from Ukraine.

Karen Serobovich Vardanyan, a 34-year-old Armenian national, admitted to participating in a conspiracy that targeted companies across the United States between late 2019 and early 2020.

The attacks allegedly led to more than $15 million in ransom payments from victims.

Key takeaways:

  • An alleged Ryuk ransomware operator has pleaded guilty after being extradited from Ukraine
  • Prosecutors say the conspiracy targeted hospitals, municipalities, manufacturers, schools, and large enterprises
  • Victims are said to have paid more than $15 million in ransom
  • The defendant faces up to 15 years in prison and has agreed to pay nearly $1.2 million in restitution
  • Bitdefender recommends deploying a dedicated security solution to stem the chances of a successful ransomware attack

A key role in Ryuk attacks

According to the US Department of Justice, Vardanyan pleaded guilty to conspiracy and computer fraud for helping compromise corporate networks that were later encrypted with Ryuk ransomware.

Investigators say he and his co-conspirators obtained unauthorized access to victim organizations before deploying ransomware and demanding payment in exchange for restoring access to critical systems. The attacks took place between November 2019 and April 2020 while Ryuk was among the world's most active ransomware operations.

According to the DOJ:

Between November 2019 through April 2020, Vardanyan illegally accessed computer networks of victim companies to deploy Ryuk ransomware on compromised servers and workstations.
As part of the scheme, ransom payments were extorted from victim companies in exchange for decryption keys to regain access to their data. A ransom note was placed on the computer systems demanding ransom payments in Bitcoin, a form of cryptocurrency, and provided an email address that victims could use to communicate with the cybercriminals.
Vardanyan worked with his co-conspirators to attack a company in Michigan that paid 200 bitcoin or over $1.1 million at the time of payment to restore access to their network.
Vardanyan and his co-conspirators are alleged to have received approximately 1,610 bitcoins in ransom payments from the victim companies, which was valued at over $15 million at the time of payment.

Extradited from Ukraine

US authorities said Vardanyan was arrested in Kyiv in 2025, extradited to the United States, and entered his guilty plea in federal court in Portland, Oregon. Sentencing is scheduled for later this year, where he faces a maximum prison sentence of 15 years. He has also agreed to pay nearly $1.2 million in restitution to victims.

The investigation involved the FBI alongside Europol, authorities in Ukraine and France, and other international partners. The case follows a series of arrests, extraditions, infrastructure seizures, and sanctions targeting ransomware groups over the past several years.

Ryuk's legacy

While these actions have disrupted many established gangs, ransomware remains one of the most profitable forms of cybercrime, with new groups emerging as older operations are dismantled or rebrand under different names.

Although Ryuk has largely disappeared from today's ransomware landscape, its influence is still felt.

The malware, active between 2018 and 2021, became notorious for targeting hospitals, municipalities, manufacturers, schools, and large enterprises. Rather than relying on mass phishing campaigns alone, Ryuk operators often spent days or weeks inside victim networks, stealing credentials, moving laterally, and identifying the systems whose encryption would cause the greatest disruption.

Security researchers have long associated Ryuk with sophisticated cybercriminal groups operating from Eastern Europe. Many attacks were believed to begin with malware such as TrickBot or Emotet, which provided the initial foothold inside corporate environments.

The campaign helped shape what has since become the standard ransomware playbook:

  • Gain privileged access
  • Disable defenses
  • Encrypt critical assets
  • Pressure victims into paying large sums to restore operations

How to reduce ransomware risk

No single security measure can completely eliminate ransomware risk, but organizations can significantly reduce their exposure by:

  • Enabling multi-factor authentication across all critical accounts
  • Promptly patching internet-facing systems and remote access services
  • Segmenting networks to limit lateral movement
  • Maintaining offline or immutable backups that are regularly tested
  • Monitoring for suspicious credential use and privilege escalation
  • Training employees to recognize phishing and other social engineering attacks
  • Deploying layered endpoint protection capable of detecting ransomware behavior before encryption begins

Advice for small/medium-sized business owners

If you run a small or medium-sized business, thoroughly review your cybersecurity posture to prevent a breach at the hand of professional hacking groups. For some businesses, a ransomware attack can inflict losses that far outweigh the investment in a strong cybersecurity posture.

Bitdefender strongly recommends deploying a dedicated security solution to stem the chances of a successful attack.

Bitdefender Ultimate Small Business Security is an extended version of our consumer-friendly security suite, designed specifically for small and medium-sized firms. It includes malware detection, ransomware prevention, email protection, account breach protection, scam protection, and VPN. It can be administered by anyone in your organization, thanks to a natural, intuitive dashboard designed for use even by non-techies.

You may also want to read:

New Jersey neurology practice fined $25,000 over ransomware incident

How scammers stole $20 million by hacking emails of real estate agents

£3 million fine for a victim of LockBit ransomware

tags


Author


Filip TRUȚĂ

Filip has 17 years of experience in technology journalism. In recent years, he has focused on cybersecurity in his role as a Security Analyst at Bitdefender.

View all posts

You might also like

Bookmarks


loader