Ryuk Ransomware Operator Pleads Guilty After Helping Steal $15 Million from US Companies
Karen Serobovich Vardanyan, 34, admitted to breaking into corporate networks and handing that access to partners who deployed Ryuk ransomware, netting the group roughly 1,610 bitcoin across dozens of victims.

Karen Serobovich Vardanyan, 34, pleaded guilty this week in a federal court in Portland, Oregon, to playing a key role in the Ryuk ransomware operation between November 2019 and April 2020.
The Man Who Opened the Door
Prosecutors describe Vardanyan's function in blunt terms: he was the initial access broker. His job was to force his way into corporate networks, then pass that foothold to partners who did the rest. Those partners deployed Ryuk across hundreds of servers and employee workstations, encrypted every file they could reach, and sat back while victims scrambled.
Vardanyan, an Armenian national, was arrested in Kyiv in April 2025 and extradited to the United States. He was first indicted by a federal grand jury in Portland in February 2024. He now faces a maximum of 15 years in prison across two federal charges, plus fines of up to $250,000 on each count. Sentencing is scheduled for September 2026. As part of his plea agreement, he has agreed to pay more than $1.1 million in restitution.
How Much Did the Victims Lose?
The US Department of Justice says the group collected approximately 1,610 bitcoin in ransom payments, worth roughly $15 million at the time of the attacks. One victim alone, a company based in Michigan, paid 200 bitcoin, then valued at more than $1.1 million, to get its systems unlocked. Two other named victims were a technology company in Wilsonville, Oregon, and a school in Texas.
Those figures are significant but not surprising given the scale of Ryuk's broader operation. At its peak, security researchers estimated the gang was compromising approximately 20 organisations every week, and over the course of its full run from 2018 to mid-2020, Ryuk pulled in an estimated $150 million in total ransom payments across all its targets.
What Was Ryuk, and Where Did It Go?
Ryuk was one of the most consequential ransomware operations of the late 2010s. It hit hospitals, schools, local governments, and private businesses with little discrimination. During the early months of the COVID-19 pandemic in 2020, the group deliberately targeted healthcare providers, a fact that drew particular attention from US federal agencies.
The operation did not simply disappear. When Ryuk wound down around mid-2020, a significant portion of the same personnel transitioned into a new group called Conti, which became one of the highest-earning ransomware crews on record. Conti collapsed in 2022 after a Ukrainian security researcher leaked its internal chat logs and source code in response to the group's public support for the Russian invasion of Ukraine. Its former members dispersed into smaller, still-active crews.
The trajectory from Ryuk to Conti to today's fragmented ransomware ecosystem is a reminder that prosecutions matter but do not end the threat. Individual actors cycle through operations.
Which Controls Failed?
Ryuk affiliates were not selective about their entry points. During the period covered by Vardanyan's charges, the group relied heavily on two techniques: stolen or brute-forced credentials targeting remote desktop protocol and VPN accounts, and phishing emails that installed first-stage malware, primarily TrickBot or BazarLoader, on employee machines. From that initial foothold, attackers moved laterally through the network until they had administrative control over the systems that mattered most.
The failure here is not exotic. It comes down to three compounding weaknesses: no multi-factor authentication on remote access services, insufficient network segmentation that let attackers move freely once inside, and employees who opened phishing emails without recognising the threat. Any one of those gaps, closed properly, could have broken the attack chain before ransomware was ever deployed.
Multi-factor authentication deserves particular attention. A single reused or stolen password on a remote desktop or VPN login was the starting point for a large share of Ryuk intrusions. Adding a second factor, whether a time-based code from an authenticator app or a hardware key, would have invalidated stolen credentials entirely. The Cybersecurity and Infrastructure Security Agency has repeatedly identified MFA as one of the highest-impact controls an organisation can implement, and the NIST SP 800-63B guidelines make the same case with measurable specificity. It is not a complete defence, but it removes the single most common attack path.
Organisations that want to understand where their people are most likely to fail under a phishing or social-engineering attack can use security-awareness training to map those gaps before an attacker finds them first. A well-run phishing simulation programme gives defenders real data on click rates, credential submission rates, and which departments carry the most risk, before the incident.
What Should Defenders Take Away?
The Vardanyan case is a useful case study because the attack methodology was not sophisticated. It was disciplined and patient, but it depended on targets not having basic hygiene in place.
Here is what the evidence suggests defenders should prioritise:
- Enforce MFA on every remote access point. VPN, remote desktop, email, and cloud portals all need a second factor. Passwords alone are not sufficient.
- Segment your network. Once Ryuk affiliates were inside a perimeter, they moved freely. Proper segmentation limits how far an attacker can travel even after a successful initial compromise.
- Train staff to recognise phishing. TrickBot and BazarLoader arrived via email. Employees who can identify malicious attachments and report them disrupt the attack chain at its earliest stage.
- Monitor for lateral movement. Attackers spent time inside victim networks before deploying ransomware. Behavioural detection tools and active threat hunting can catch this activity before encryption begins.
- Test your backup and recovery process. Victims paid because restoring from backups was not viable. If your backups have never been tested under realistic conditions, you do not actually have backups.
"Would multi-factor authentication have helped? In most Ryuk cases, yes," one federal prosecutor familiar with the case noted in court filings, paraphrasing the technical picture the government presented. A second factor on a single account could have shut down the initial access Vardanyan provided.
Vardanyan now faces the legal consequences of his role. The organisations that paid bitcoin to get their files back paid something else too: weeks or months of downtime, reputational damage, and costs that long outlasted the ransom itself.
See where your organisation currently stands against recognised frameworks at train2secure.com/standards, or explore training options sized for your team.
How a single security gap let Ryuk in
- Enforce MFA on every remote access service, VPN, RDP, email, and cloud portals, so stolen passwords alone cannot open your network.
- Run regular phishing simulations to find out which employees and departments are most likely to install first-stage malware like TrickBot before a real attacker does.
- Test your backup and recovery process under realistic conditions so ransomware deployment does not force a payment decision.
Train2Secure's awareness training programmes help organisations measure and close the human-layer gaps that initial access brokers like Vardanyan relied on.
Start free, no card requiredSources & further reading
- https://www.justice.gov/usao-or/pr/armenian-national-pleads-guilty-role-ryuk-ransomware-attacks
- https://www.cisa.gov/stopransomware/ryuk
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
- https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf
Frequently asked questions
What did Karen Vardanyan actually do in the Ryuk ransomware operation?
Vardanyan served as an initial access broker. He broke into corporate networks by exploiting weak or stolen credentials and then handed that access to partners, who deployed the Ryuk ransomware across the victim's servers and workstations.
How much did the Ryuk group collect in ransom payments?
Prosecutors say Vardanyan and his co-conspirators collected approximately 1,610 bitcoin, worth roughly $15 million at the time. One Michigan victim alone paid 200 bitcoin, then worth more than $1.1 million, to recover its files.
Would multi-factor authentication have stopped Ryuk attacks?
In many cases, yes. A significant share of Ryuk intrusions began with stolen or brute-forced passwords on remote desktop and VPN accounts. MFA would have invalidated those credentials and broken the attack chain before ransomware was ever deployed.
Is the Ryuk ransomware group still active?
Ryuk itself wound down around mid-2020, but many of the same operators moved into Conti, which collapsed in 2022 after a data leak. Former Conti members have since formed smaller groups that remain active today.



