Ryuk ransomware suspect admits role in $15 million hacking spree

Karen Vardanyan pleaded guilty in a US court to breaking into company networks and helping unleash Ryuk ransomware, one of the most damaging extortion tools of 2019 and 2020.

ThreatVectr Newsdesk· 4 min read
A dim server room bathed in cold blue light, rows of rack-mounted servers with faint red status LEDs, one open cabinet showing tangled fibre cables, shallow dep
Share

Key points

  • Karen Serobovich Vardanyan, 34, pleaded guilty in a US federal court to helping run the Ryuk ransomware operation between November 2019 and April 2020.
  • One Michigan victim paid 200 bitcoin, worth more than $1.1 million at the time, to get its files back.
  • Prosecutors say Vardanyan and his co-conspirators collected about 1,610 bitcoin, roughly $15 million, in ransom payments.
  • He faces up to 15 years in prison and is scheduled to be sentenced in September 2026.
  • Vardanyan has agreed to pay more than $1.1 million in restitution as part of his plea deal.

An Armenian man has admitted to helping break into US company networks and unleashing Ryuk, a strain of ransomware, which is malicious software that scrambles a company's files until a payment is made.

Karen Serobovich Vardanyan, 34, was arrested in Kyiv in April 2025 and extradited to the United States. This week he pleaded guilty in a federal court in Portland, Oregon, as first reported by BleepingComputer.

His job, according to prosecutors, was the front door. He got into corporate networks illegally, then handed that access to partners who dropped the ransomware onto servers and staff computers.

How did the hackers actually get paid?

In cryptocurrency, and a lot of it. The US Department of Justice says Vardanyan and his co-conspirators received about 1,610 bitcoin in ransom payments, worth roughly $15 million at the time.

One case stands out. A company in Michigan paid 200 bitcoin, more than $1.1 million on the day, to get its systems unlocked. Two other named victims were a technology firm in Wilsonville, Oregon, and a school in Texas.

Court documents say the group encrypted hundreds of servers and workstations across the victim companies.

Who was Ryuk?

Ryuk was one of the nastiest ransomware crews of its era. It ran from 2018 until mid-2020 and hit almost every kind of organisation you can name, including hospitals during the early months of the COVID-19 pandemic.

At its peak, researchers estimated Ryuk was breaking into around 20 organisations a week and had pulled in more than $150 million overall.

The gang did not really vanish. When Ryuk wound down in 2020, many of the same people moved over to a new operation called Conti, which became one of the most prolific extortion groups on the internet. Conti itself fell apart in 2022 after someone leaked its internal chat logs and source code, and its members scattered into smaller crews that are still active.

What kind of break-ins were these?

Ryuk affiliates were not fussy about how they got in. During the period Vardanyan is charged with, the group leaned heavily on stolen or guessed passwords for remote access tools, and on phishing emails that dropped a first-stage virus called TrickBot or BazarLoader onto an employee's PC. From there they moved sideways through the network until they controlled the systems that mattered.

Would multi-factor authentication have helped? Honestly, in most Ryuk cases, yes. A large share of these intrusions started with a single reused password on a remote desktop or VPN account. A second factor, meaning a code from a phone or a hardware key, would have stopped a lot of them cold. It is not a silver bullet, but it is the closest thing the industry has.

What happens to Vardanyan now?

He was indicted by a federal grand jury in Portland in February 2024 and is scheduled to be sentenced in September 2026. He faces a maximum of 15 years in prison across two charges, plus fines of $250,000 on each. As part of his plea, he has agreed to pay back more than $1.1 million.

For ordinary people, the practical takeaway is small but real. If your employer still lets staff log in to email or remote systems with just a password, push for a second factor. That single change would have kept a lot of Ryuk's victims out of the headlines.

© 2026 Threat Vectr