Skip to main content
Emerging ThreatsMalware & Ransomware

Ryuk Ransomware Operative Pleads Guilty, Faces 15-Year Sentence

Formal courthouse interior with documents and law enforcement items under daylight.

“Vardanyan and his co-conspirators illegally accessed computer networks of victim companies and deployed ransomware on hundreds of compromised servers and workstations,” the U.S. Department of Justice said — a blunt summary of a multi-year criminal campaign that pulled in roughly 1,610 bitcoins, valued at about $15 million at the time, according to prosecutors.

Karen Serobovich Vardanyan’s guilty plea and extradition

Karen Serobovich Vardanyan, a 34‑year‑old Armenian man, has pleaded guilty in a U.S. federal case after being extradited from Ukraine. He was arrested in Kyiv in April 2025 for providing initial access to corporate networks and later transferred to the United States. Vardanyan was indicted in February 2024 by a federal grand jury in Portland and is scheduled to be sentenced in September 2026.

What prosecutors say Vardanyan did between November 2019 and April 2020

According to court documents cited by prosecutors, Vardanyan illegally accessed the computer systems of multiple U.S. organizations and helped deploy the Ryuk ransomware across their networks between November 2019 and April 2020. The Justice Department’s statement characterizes the conduct as a coordinated effort that encrypted systems and targeted hundreds of servers and workstations.

Three documented attacks and the scale of payments

Prosecutors identified several concrete incidents in their filings. In one breach of a Michigan company, the victim paid 200 bitcoins — which the source describes as worth more than $1.1 million at the time. Other attacks called out by prosecutors include a technology company in Wilsonville, Oregon, and a school in Texas. Overall, the DoJ says Vardanyan and his co‑conspirators received about 1,610 bitcoins in ransom payments during the relevant period, a sum the agency places at roughly $15 million at the time of payment.

The Ryuk operation, Conti, and the criminal landscape

Prosecutors place Vardanyan’s role within the broader Ryuk ransomware operation, active from 2018 until mid‑2020. The source reports that Ryuk carried out high‑profile attacks across nearly every sector, explicitly including healthcare providers during the COVID‑19 pandemic. At its peak, Ryuk is estimated to have breached roughly 20 organizations per week and to have generated more than $150 million in criminal proceeds. Following Ryuk’s shutdown in 2020, many members reportedly moved into the Conti ransomware operation; Conti later disbanded in 2022 after internal chats and source code were leaked, and its members splintered into numerous cybercrime groups, some of which the source says remain active.

Legal exposure: charges, penalties, and restitution

Vardanyan pleaded guilty to two separate charges and faces a maximum sentence of 15 years in prison. He also faces monetary penalties: fines of $250,000 for each count. As part of his plea agreement, he has agreed to pay more than $1.1 million in restitution. The formal sentencing hearing is set for September 2026 in the U.S. federal system.

What this means for security teams, prosecutors, and affected organizations

Security teams: The Justice Department’s description that Ryuk operatives “deployed ransomware on hundreds of compromised servers and workstations” underscores the scale and operational breadth that defenders must account for when assessing past incidents and designing detection and containment strategies.

Prosecutors and courts: The extradition, indictment by a federal grand jury in Portland, guilty plea, and the September 2026 sentencing date show the multi‑jurisdictional and multi‑year path that high‑profile cybercrime prosecutions can follow — including negotiated restitution and statutory fines.

Affected enterprises and schools: The filing documents concrete, costly outcomes — a Michigan company’s 200 BTC payment (more than $1.1 million at the time) and a restitution agreement exceeding $1.1 million — that illustrate both the immediate financial impact on victims and the partial recovery mechanisms the criminal justice process can produce.

The record in this case ties a named defendant to a widely observed ransomware campaign, catalogs specific victims and payments, and places the individual’s plea within the longer arc of Ryuk’s rise and the later dispersal of its actors into other criminal operations. Vardanyan’s September 2026 sentencing will resolve his personal legal exposure, while the broader network of actors the source describes — and the payments and systems affected over several years — remains part of the operational legacy prosecutors cited.

Original story