Skip to content
feed: live
>_ 0dayNews
ransomware
Analysis

A Ryuk operator pleads guilty, six years after wind-down

Karen Vardanyan pleaded guilty in Portland to Ryuk-era conspiracy charges from 2019-2020. Sentencing is set for September. A note on how long the pipeline actually takes.

kilobaud Dave "Kilobaud" Ferris · Published · 3 min read

Karen Serobovich Vardanyan, a 34-year-old Armenian national, pleaded guilty in a Portland federal courtroom to conspiracy charges tied to the deployment of Ryuk ransomware against U.S. victims between November 2019 and April 2020. He was arrested in Kyiv in April 2025 and extradited to the United States. According to BleepingComputer’s writeup of the plea, the Department of Justice says he and accomplices “illegally accessed computer networks of victim companies and deployed ransomware on hundreds of compromised servers and workstations.” Sentencing is scheduled for September 2026, with a maximum of 15 years across two counts and a $250,000 fine per count.

Analysis. This is a plea deal, not a breach — commentary on the shape of the prosecution timeline, not a report of any live risk.

What is in the indictment

The victim list named in the filings is short and mostly familiar in kind rather than name. A Michigan-based company paid 200 bitcoin — worth just over $1.1 million at the time — to recover its network. A technology company in Wilsonville, Oregon, and a school in Texas are also named. The total take across the Ryuk operation’s active window has been reported at roughly 1,610 bitcoins, about $15 million at contemporaneous prices. Vardanyan has agreed to pay more than $1.1 million in restitution.

The indictment itself is not new. A federal grand jury in Portland returned it in February 2024, more than two years ago. The public step this week is the guilty plea, not the charge.

The gap between the acts and the plea

Vardanyan’s charged conduct ran from late 2019 into the spring of 2020. The Ryuk gang as a whole is understood, per the DOJ filing summarized by BleepingComputer, to have operated from 2018 until mid-2020, hitting roughly twenty organizations a week at peak and clearing over $150 million before most of its personnel folded into Conti. From the last of the charged acts to the guilty plea is about six years. From indictment to plea, roughly two and a half. From arrest in Kyiv to plea in Portland, about fifteen months.

None of those numbers are unusual for a cross-border ransomware case, and that is the interesting part. A Ryuk operator pleading guilty in 2026 is not a story about speed. It is a story about the fact that the pipeline still runs at all.

The week’s other reminders

Vardanyan’s plea lands in the same week as two other prosecution stories worth reading beside it. A former ransomware negotiator at incident-response firm DigitalMint was sentenced to 70 months for conspiring with BlackCat affiliates against victims the firm had been hired to help. Interpol’s Operation First Light closed with 5,811 arrests across 97 countries and $293 million in seized assets. Neither is a Ryuk case, and none of the three is going to make any defender’s Tuesday materially easier. Read together, though, they are the shape of an institution — the U.S. Attorney’s Office in Portland, the FBI, Interpol, and their foreign counterparts — grinding on files that started years earlier and clearing them at whatever pace jurisdictions and extradition treaties allow.

Ryuk itself is gone; its personnel have been Conti, then BlackCat, then something else. The industry moved on before the prosecutions arrived. That has never been an argument against the prosecutions.

What this changes for defenders

Nothing operational, in the honest sense. The Ryuk affiliates who are still working are working under other brands, and none of them will change their behavior because of a plea entered by an ex-colleague from two rebrands ago. The near-term ransomware risk on the network you are actually responsible for is unaffected by whatever happens at sentencing in September.

What it does change, for the small population currently deciding whether to take an affiliate slot, is the running estimate of how long the immunity window really is. The answer this week is roughly six years, and it is trending shorter, not longer. That is not a deterrent for everyone. It does not need to be.

The useful thing for the rest of us to notice is that the process is slow, uneven, and real. It is worth reporting when it works.

Found this useful? Share it.