A foreign national, Vardanyan, has pleaded guilty in a U.S. federal court to conspiracy and computer fraud charges for his participation in a series of Ryuk ransomware attacks. According to the U.S. Department of Justice, the conspiracy ran from 2019 to 2020 and successfully extorted approximately 1,610 bitcoins, valued at over $15 million at the time, from victim organizations in the United States. The defendant, who was extradited to the U.S., admitted to his role in deploying the ransomware and managing the extortion process. The case underscores the continued efforts by law enforcement to hold ransomware actors accountable for their crimes.
The case revolves around the operations of a cell using the Ryuk ransomware, a notorious malware family known for targeting large enterprises in so-called "big game hunting" campaigns. The actors would gain initial access to a victim's network, often through other malware droppers like TrickBot or BazarLoader, perform reconnaissance and lateral movement, and then deploy Ryuk to encrypt critical systems for maximum impact.
While the court documents did not provide a deep technical dive, the operational model of Ryuk campaigns during this period is well-documented. The typical attack chain involved:
.RYK extension and dropping a ransom note (RyukReadMe.txt) in each directory.Based on typical Ryuk operations from that era:
T1486 - Data Encrypted for Impact: The core activity of the Ryuk ransomware.T1078 - Valid Accounts: Used for lateral movement and deployment after initial credential compromise.T1562.001 - Impair Defenses: Disable or Modify Tools: Ryuk and its precursors often attempted to disable security software.T1490 - Inhibit System Recovery: Attackers frequently deleted volume shadow copies to prevent easy restoration.T1021.002 - Remote Services: SMB/Windows Admin Shares: Commonly used to spread the ransomware across the network.The impact on victims was severe. The encryption of hundreds of servers and workstations would cause a complete shutdown of business operations. One victim, a Michigan-based company, paid over $1.1 million in ransom. Beyond the financial cost of the ransom, victims faced extensive recovery expenses, business interruption losses, and reputational damage. The targeting of a school district also highlights the disruption to essential public services. The total extortion of over $15 million from the victims mentioned underscores the significant financial damage inflicted by this single conspiracy.
No specific file hashes, IP addresses, or domains were provided in the source articles.
To detect activity associated with Ryuk and similar ransomware families, security teams can hunt for these patterns:
RyukReadMe.txt*.RYKvssadmin.exe delete shadows /all /quietPsExec.exe445/tcpBloodHound for reconnaissance.Train users to identify and report phishing emails, which are a common initial access vector for ransomware.
Segment the network to contain breaches and prevent ransomware from spreading from workstations to critical servers.
Strictly control and monitor administrative accounts to prevent attackers from gaining the privileges needed to deploy ransomware widely.
Deploy and maintain endpoint protection solutions to detect and block known malware droppers and ransomware executables.
The Ryuk ransomware conspiracy targeting U.S. firms begins.
The documented period of the Ryuk conspiracy ends.
Vardanyan pleads guilty in a U.S. federal court.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.