Ryuk Ransomware Conspirator Pleads Guilty in U.S. Court

Ryuk Ransomware Operator Pleads Guilty to $15M Extortion Scheme

HIGH
July 13, 2026
5m read
RansomwareThreat ActorCyberattack

Related Entities

Products & Tech

Bitcoin

Other

Ryuk Vardanyan

Full Report

Executive Summary

A foreign national, Vardanyan, has pleaded guilty in a U.S. federal court to conspiracy and computer fraud charges for his participation in a series of Ryuk ransomware attacks. According to the U.S. Department of Justice, the conspiracy ran from 2019 to 2020 and successfully extorted approximately 1,610 bitcoins, valued at over $15 million at the time, from victim organizations in the United States. The defendant, who was extradited to the U.S., admitted to his role in deploying the ransomware and managing the extortion process. The case underscores the continued efforts by law enforcement to hold ransomware actors accountable for their crimes.


Threat Overview

The case revolves around the operations of a cell using the Ryuk ransomware, a notorious malware family known for targeting large enterprises in so-called "big game hunting" campaigns. The actors would gain initial access to a victim's network, often through other malware droppers like TrickBot or BazarLoader, perform reconnaissance and lateral movement, and then deploy Ryuk to encrypt critical systems for maximum impact.

  • Threat Actor: Vardanyan and unnamed co-conspirators.
  • Malware: Ryuk ransomware.
  • Victims: U.S. companies and a school district, with specific victims mentioned in Michigan, Oregon, and Texas.
  • Motive: Financial gain through extortion.
  • Timeline: 2019 - 2020.

Technical Analysis

While the court documents did not provide a deep technical dive, the operational model of Ryuk campaigns during this period is well-documented. The typical attack chain involved:

  1. Initial Access: Often achieved via phishing campaigns that delivered first-stage malware like Emotet or TrickBot.
  2. Reconnaissance & Lateral Movement: Once inside the network, the operators used tools like Cobalt Strike and BloodHound to map the internal network, identify critical assets like domain controllers and backup servers, and escalate privileges.
  3. Payload Deployment: After gaining domain administrator credentials, the attackers used tools like PsExec or Group Policy to push the Ryuk ransomware executable to hundreds of servers and workstations simultaneously.
  4. Impact: Ryuk would encrypt files on the compromised systems, appending a .RYK extension and dropping a ransom note (RyukReadMe.txt) in each directory.
  5. Extortion: The ransom note instructed the victim to contact the attackers via email to negotiate the ransom payment, which was demanded in Bitcoin.

MITRE ATT&CK Mapping

Based on typical Ryuk operations from that era:

Impact Assessment

The impact on victims was severe. The encryption of hundreds of servers and workstations would cause a complete shutdown of business operations. One victim, a Michigan-based company, paid over $1.1 million in ransom. Beyond the financial cost of the ransom, victims faced extensive recovery expenses, business interruption losses, and reputational damage. The targeting of a school district also highlights the disruption to essential public services. The total extortion of over $15 million from the victims mentioned underscores the significant financial damage inflicted by this single conspiracy.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were provided in the source articles.

Cyber Observables — Hunting Hints

To detect activity associated with Ryuk and similar ransomware families, security teams can hunt for these patterns:

Type
file_name
Value
RyukReadMe.txt
Description
The default name of the ransom note dropped by Ryuk.
Context
File system monitoring, EDR
Type
file_name
Value
*.RYK
Description
The file extension appended to files encrypted by Ryuk.
Context
File system monitoring, EDR
Type
command_line_pattern
Value
vssadmin.exe delete shadows /all /quiet
Description
Command used to delete Volume Shadow Copies to hinder recovery.
Context
Process creation logs (Event ID 4688), EDR
Type
process_name
Value
PsExec.exe
Description
Often used by attackers to remotely execute the ransomware binary on multiple systems.
Context
EDR, Process creation logs
Type
network_traffic_pattern
Value
445/tcp
Description
A surge in SMB traffic across the network can indicate lateral movement and payload distribution.
Context
Netflow data, NIDS

Detection & Response

  • Behavioral Detection: Deploy EDR solutions capable of detecting ransomware-like behavior, such as rapid file modification, deletion of shadow copies, and attempts to disable security tools. This aligns with D3-PA: Process Analysis.
  • Canary Files: Place decoy files (canaries) on file shares and endpoints. Monitor these files for any modification, and trigger a high-priority alert if they are touched, as this is a strong indicator of ransomware activity.
  • Active Directory Monitoring: Monitor for anomalous activity in Active Directory, such as the creation of new high-privilege accounts, or the use of tools like BloodHound for reconnaissance.

Mitigation

  • Backup and Recovery: Maintain offline, immutable, and regularly tested backups. This is the single most effective defense against extortion. Ensure backups are isolated from the primary network so they cannot be deleted or encrypted by attackers.
  • Network Segmentation: Segment networks to prevent attackers from moving laterally. A workstation compromise should not easily lead to a domain controller compromise. This is a form of D3-NI: Network Isolation.
  • Phishing Protection: Implement robust email security to block the initial delivery of malware like Emotet and TrickBot. Provide user training to recognize and report phishing attempts.
  • Privileged Access Management (PAM): Strictly control and monitor the use of administrative privileges. Use just-in-time access and enforce multi-factor authentication for all administrative accounts.

Timeline of Events

1
January 1, 2019
The Ryuk ransomware conspiracy targeting U.S. firms begins.
2
December 31, 2020
The documented period of the Ryuk conspiracy ends.
3
July 12, 2026
Vardanyan pleads guilty in a U.S. federal court.
4
July 13, 2026
This article was published

MITRE ATT&CK Mitigations

Train users to identify and report phishing emails, which are a common initial access vector for ransomware.

Segment the network to contain breaches and prevent ransomware from spreading from workstations to critical servers.

Strictly control and monitor administrative accounts to prevent attackers from gaining the privileges needed to deploy ransomware widely.

Deploy and maintain endpoint protection solutions to detect and block known malware droppers and ransomware executables.

Timeline of Events

1
January 1, 2019

The Ryuk ransomware conspiracy targeting U.S. firms begins.

2
December 31, 2020

The documented period of the Ryuk conspiracy ends.

3
July 12, 2026

Vardanyan pleads guilty in a U.S. federal court.

Sources & References

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

RyukRansomwareCybercrimeDOJBitcoinExtortion

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.