Skip to main content
Emerging ThreatsMalware & Ransomware

Armenian National Pleads Guilty to Ryuk Ransomware Conspiracy

Man sits somberly in a courtroom or government agency setting, hands clasped or holding a document.

Vardanyan and his co-conspirators received about 1,160 bitcoins — valued at more than $15 million at the time — in ransom payments, the Justice Department said Thursday.

The guilty plea and charges

An Armenian national extradited from Ukraine last year, Karen Serobovich Vardanyan, pleaded guilty to computer fraud and conspiracy to commit fraud and extortion, the Justice Department announced. The 34‑year‑old admitted to participating in cybercrime involving Ryuk ransomware that targeted U.S.-based organizations. According to the plea, his conduct occurred while he was living abroad and culminated in a formal admission in U.S. court.

The victims and ransom payments

Prosecutors named three specific victims linked to the charged conduct: a Michigan‑based company that paid a ransom of nearly $1.2 million in January 2020; a Watsonville, Oregon‑based technology company that was attacked in December 2019; and a Texas‑based school breached in February 2020. More broadly, the Justice Department’s filing cites Ryuk’s prevalence in 2019 and 2020 and lists known Ryuk victims including Hollywood Presbyterian Medical Center, Universal Health Services, Electronic Warfare Associates, a North Carolina water utility, and multiple U.S. newspapers.

Operational timeline, scope, and methods

Vardanyan admitted participating in Ryuk deployments from November 2019 to April 2020, during which he and co‑conspirators deployed Ryuk ransomware against the three U.S. organizations named in the plea while living in Ukraine and Russia. Prosecutors previously accused Vardanyan and his co‑conspirators of illegally accessing computer networks and deploying Ryuk on hundreds of compromised servers and workstations between March 2019 and September 2020. The operators extorted victim companies by demanding ransom payments in Bitcoin in exchange for decryption keys.

Co‑conspirators, extradition, and locations

The Justice Department’s earlier accusations identified co‑conspirators as Ukrainian nationals Oleg Nikolayevich Lyulyava and Andrii Leonydovich Prykhodchenko, and Armenian national Levon Georgiyovych Avetisyan. The charged activity and the plea place several alleged participants in Ukraine and Russia at times when Ryuk was deployed against U.S. victims. Vardanyan was extradited from Ukraine to the United States last year before entering his guilty plea.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: The plea underscores prosecutors’ view that Ryuk operations involved coordinated access to hundreds of servers and workstations and monetization via Bitcoin — specific operational patterns that defenses and forensic programs may map to incident response playbooks.
  • Policymakers and law enforcement: The case demonstrates cross‑border movement of suspects (extradition from Ukraine) and a federal prosecution pursued in the U.S. District Court for the District of Oregon, reinforcing that extradition and federal charges are among available legal tools.
  • Affected enterprises and institutions: The named victims — a private company, a technology firm, and a school — echo Ryuk’s broad target set reported during 2019–2020, a span during which hospitals, utilities, and media organizations were also listed among Ryuk’s victims.

Legal consequences and the court schedule

Under the plea, Vardanyan agreed to pay restitution and faces statutory exposure of up to 15 years in jail. The Justice Department notification states that Vardanyan “agreed to pay nearly $1.2 million million in restitution and faces up to 15 years in jail.” He also acknowledged that his conviction will have immigration consequences resulting in removal from the United States after serving his sentence. The U.S. District Court for the District of Oregon has not yet scheduled sentencing.

The case ties a string of high‑profile Ryuk intrusions to named individuals and quantifies the financial flows prosecutors attribute to the group — about 1,160 bitcoins, more than $15 million at the time — while leaving scheduled sentencing and the practical restitution timeline to the court. Read the original CyberScoop report here: https://cyberscoop.com/karen-vardanyan-armenian-ryuk-ransomware-guilty/