Extradited Armenian Tied to Ryuk Ransomware Faces US Trial | #ransomware | #cybercrime

See Also: 2025 Cyber Resilience Checklist

Karen Serobovich Vardanyan, 33, was extradited from Ukraine to the U.S. on June 18, the U.S. Department of Justice said on Wednesday.

At his arraignment on June 20, Vardanyan pleaded not guilty to three charges: conspiracy, fraud and extortion in connection with computers. If convicted, he faces a maximum prison sentence of five years for each count.

The defendant remains detained pending the start of his seven-day trial by jury, scheduled to begin on Aug. 26 in federal court in Portland, Ore.

The DOJ on Wednesday also named three of Vardanyan’s alleged co-conspirators, saying they’ve been charged with conspiracy, plus fraud and extortion in connection to computers:

• Levon Georgiyovych Avetisyan, 45, an Armenian national who’s been arrested in France based on conspiracy, fraud and extortion charges filed against him by the U.S., which has requested his extradition by French authorities;
• Oleg Nikolayevich Lyulyava and Andrii Leonydovich Prykhodchenko, both 53-year-old Ukrainian nationals, who remain at large.

The FBI has accused them of hacking into numerous organizations from March 2019 through September 2020, and installing Ryuk ransomware on servers and workstations. The ransomware crypto-locked systems, after which the attackers demanded a ransom for a promise to provide victims with a working decryption tool.

“Vardanyan and co-conspirators are alleged to have received approximately 1,610 bitcoins in ransom payments from the victim companies, which was valued at over $15 million at the time of payment,” the DOJ said.

Ukrainian police, without then naming Vardanyan, first announced his arrest on June 18 (see: Ukraine Extradites Suspected Ransomware Group Member to US).

Police said his arrest built on searches of 80 properties and the seizure of devices and cryptocurrency assets worth more than $500,000, leading to Vardanyan’s identification.

Authorities accused him of identifying exploitable vulnerabilities in potential victims’ networks. “The data obtained by the hacker was used by his accomplices to plan and carry out cyberattacks,” police said, according to a machine translation.

Police have made multiple arrests as part of their investigation into the wider Ryuk-wielding group. That included a first round of searches, seizures and arrests in October 2021 of 12 “high-value targets” in both Ukraine and Switzerland.

In the next wave of the investigation in late 2023, Ukrainian police said they arrested “the 32-year-old leader of the hacker group and his four most active accomplices,” with the assistance of law enforcement agencies in the United States, Norway, the Netherlands, Germany and France.

“Through the analysis of the information obtained as a result of the investigative actions, it was possible to additionally identify a 33-year-old member of the group who was engaged in searching for vulnerabilities in the corporate networks of the victim companies,” Ukrainian police said of Vardanyan’s arrest.

The Ryuk ransomware operation is no more, at least in name.

The crypto-locking malware first emerged around the middle of 2018 and seemed to have its heyday largely in 2019, before rebranding as Conti around May 2020, and appearing to merge with TrickBot – aka Wizard Spider – by the end of 2021.

The hundreds if not thousands of organizations allegedly hit by Ryuk-wielding attackers ranged from U.S. federal maritime facilities and the city of New Orleans, to Norwegian aluminum giant Norsk Hydro and the Dutch arm of a U.S.-based chemical company. The latter reportedly paid a ransom of 450 bitcoins, then worth $1.3 million.

Ransomware operations continue to come and go in name, and many of the operators and affiliates involved remain the same. How many former members of the Ryuk might still remain active isn’t clear.

In terms of Conti, that group appears to have disbanded in 2022, after its operators’ disastrous decision to publicly back President Vladimir Putin’s war of conquest against Ukraine, leading to many victims declining to pay it any ransom. Before disappearing, Conti spawned multiple spinoffs, including Akira, Black Basta, Hive and Royal.

Of those, Akira continues to be tied to numerous attacks, says a new report from BlackFog. From April to June, it said Akira listed 136 victims on its data-leak site, second to Qilin’s listing of 209 victims, suggesting that both rank among the currently most active ransomware groups (see: Ransomware Groups’ Data Leak Blogs Lie: Stop Trusting Them).