A 34-year-old Armenian national has pleaded guilty in the United States to charges connected to Ryuk ransomware attacks that targeted organizations across the country. Prosecutors say Karen Serobovich Vardanyan participated in a conspiracy that breached corporate networks, deployed ransomware, and extorted victims for cryptocurrency payments.
According to the U.S. Department of Justice, Vardanyan admitted to conspiracy and computer fraud charges after being extradited from Ukraine, where he was arrested in April 2025. Prosecutors allege he was responsible for obtaining initial access to victim networks before Ryuk ransomware was deployed to encrypt servers and workstations.
Court documents state that the attacks took place between November 2019 and April 2020 and affected numerous U.S. companies, including a technology firm based in Oregon. Investigators say the conspirators demanded Bitcoin ransom payments in exchange for restoring access to encrypted systems.
The Justice Department alleges Vardanyan worked with other members of the criminal operation by compromising enterprise networks and preparing them for ransomware deployment. Ryuk operators then encrypted victim systems and demanded large ransom payments, causing significant financial losses and operational disruption.
As part of his plea agreement, Vardanyan acknowledged his role in the conspiracy. He now faces a maximum sentence of 15 years in federal prison, although the final sentence will be determined by a U.S. district judge after considering federal sentencing guidelines and other statutory factors. A sentencing date has not yet been announced.
The investigation was conducted by the FBI with assistance from Ukrainian law enforcement and several international partners. U.S. officials said the case demonstrates the continued cooperation between countries in identifying, arresting, and extraditing individuals accused of participating in international ransomware operations.
Ryuk emerged as one of the most damaging ransomware families in recent years, targeting businesses, healthcare providers, government agencies, and other organizations worldwide. The malware has been linked by researchers to the cybercriminal ecosystem surrounding the TrickBot malware and later influenced the development of the Conti ransomware operation. Authorities have spent several years pursuing individuals believed to have participated in those attacks through coordinated international investigations.