Ryuk Ransomware Operator Extradited to US Amid Global Investigation
Ryuk Ransomware Operator Extradited to the U.S.
Karen Vardanyan, a 33-year-old Armenian national, has been extradited from Ukraine to the United States and faces serious charges related to Ryuk ransomware attacks. His extradition occurred on June 18, 2025, and he was arraigned in federal court on June 20, 2025. Vardanyan is charged with conspiracy, fraud in connection with computers, and extortion in connection with computers. The maximum penalty for each charge includes five years in federal prison and fines up to $250,000.
Image courtesy of U.S. Department of Justice
Between March 2019 and September 2020, Vardanyan and his co-conspirators, including Oleg Lyulyava and Andrii Prykhodchenko, are accused of deploying Ryuk ransomware on hundreds of compromised servers and workstations. Ryuk was notorious for targeting a variety of sectors, including healthcare, local municipalities, and educational institutions, leading to significant operational disruptions.
Victims of Ryuk ransomware included organizations such as:
- Hollywood Presbyterian Medical Center
- Universal Health Services
- Electronic Warfare Associates
- A North Carolina water utility
The total ransom payments received by Vardanyan and his group are estimated to be around 1,610 bitcoins, equivalent to over $15 million at the time.
FBI-Led Global Investigation
The extradition of Vardanyan marks a significant achievement in the ongoing global efforts against ransomware operations. This operation was facilitated through a joint effort involving the FBI, Ukraine’s Cyber Police, and the National Police, which began its investigation in 2023. The FBI had previously identified Vardanyan as a key player in the Ryuk ransomware network.
Image courtesy of Daily Security Review
The Ryuk group primarily targeted large organizations in North America and Europe, focusing on high-value sectors such as healthcare and critical infrastructure during the COVID-19 pandemic. They are estimated to have earned over $150 million from these ransomware attacks.
The arrest of Vardanyan is part of a broader crackdown on ransomware groups, with law enforcement agencies increasingly targeting individuals involved in the initial access phase of these attacks. This phase includes techniques such as phishing, credential stuffing, and exploiting network vulnerabilities, crucial for the further deployment of ransomware by specialized threat actors.
Black Kingdom Ransomware Indictment
Separately, federal prosecutors have indicted Rami Khaled Ahmed, a 36-year-old man believed to be operating out of Yemen. He is accused of deploying the "Black Kingdom" ransomware, infecting approximately 1,500 computer systems across the U.S. and internationally. The indictment includes charges of conspiracy and intentional damage to protected computers.
Image courtesy of U.S. Department of Justice
Ahmed allegedly developed and deployed Black Kingdom ransomware by exploiting vulnerabilities in Microsoft Exchange. His attacks affected various sectors, including a medical billing services company, ski resorts, and school districts, demanding ransom payments of $10,000 in Bitcoin.
The FBI is currently investigating this case with assistance from international law enforcement, highlighting the global nature of ransomware threats.
Summary of Ransomware Landscape
The ransomware landscape continues to evolve, with groups like Ryuk and Black Kingdom adapting their tactics and targeting methods. Organizations must remain vigilant and invest in robust cybersecurity measures to protect against these sophisticated attacks.
For businesses seeking reliable recovery solutions, consider undefined, which offers advanced cybersecurity services tailored to mitigate risks associated with ransomware attacks. Explore our offerings or contact us for more information.