All incidents

Ryuk ransomware member pleads guilty to attacks on U.S. organizations

campaignopenJul 11, 2026 — Jul 12, 2026
Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations

KAREN Serobovich Vardanyan, a 34‑year‑old Armenian national, pleaded guilty in a United States district court to his role in Ryuk ransomware attacks that hit American organisations between 2019 and 2020, after being extradited from Ukraine following his arrest in 2025 (Justice Department announcement). He admitted to helping co‑conspirators gain unauthorised entry to corporate networks, deploy the ransomware and demand payment in Bitcoin for decryption keys. The case marks one of the first successful prosecutions of a Ryuk affiliate in the United States.

Ryuk typically gains a foothold through spear‑phishing emails that carry malicious links or weaponised documents, which then drop a TrickBot or BazarLoader module to harvest credentials. Once inside, attackers use tools such as Mimikatz to extract passwords, move laterally via SMB and Windows admin shares, and disable security services before encrypting files with a strong RSA‑AES hybrid scheme. Victims are presented with a ransom note directing them to pay a Bitcoin amount that varies with the size of the compromised network.

In the incidents tied to Vardanyan, a Michigan‑based company reportedly paid 200 Bitcoin to regain access to its data, while a school district in Texas also met the ransom demand. Investigators estimate that the broader Ryuk operation associated with the group collected roughly 1 610 Bitcoin, a sum that exceeded fifteen million US dollars at the time of the attacks. The guilty plea includes an agreement to pay over one million US dollars in restitution to the affected victims.

Ryuk is operated under the auspices of the Wizard Spider cybercrime syndicate and has been linked to other ransomware families such as Conti through shared code and infrastructure. Law‑enforcement actions in recent years, including the takedown of TrickBot infrastructure and sanctions against cryptocurrency mixers, have pressed the group but have not eradicated it. Vardanyan’s plea underscores the growing willingness of authorities to pursue individuals who facilitate ransomware campaigns, even when they operate from abroad.

Defenders should enforce multi‑factor authentication on all remote access points, especially RDP and VPN services, and limit privileged account use to reduce the chance of credential theft. Regularly scheduled, offline backups that are tested for integrity provide the most reliable recovery path without yielding to extortion. Network segmentation, coupled with strict SMB restrictions, can hinder lateral movement, while endpoint detection and response tools tuned to detect Mimikatz usage and unusual PowerShell activity help spot the early stages of a Ryuk intrusion.

Organisations are encouraged to share indicators of compromise with sector‑specific ISACs and to maintain an up‑to‑date incident response plan that includes communication protocols with law‑enforcement agencies. Continuous monitoring for the Bitcoin addresses and wallet clusters associated with the Ryuk operation, as well as for the specific ransom note hashes, can aid in early detection. By combining technical controls with proactive threat intelligence, businesses can lower the likelihood of falling victim to similar ransomware schemes.

Intelligence briefing updated Jul 12, 2026

Ryuk
Root sourcewww.justice.gov
Timeline Coverage

Swipe to explore timeline