A 34-year-old Armenian national pleaded guilty July 9, in federal court in Portland to conspiracy and computer fraud charges tied to ransomware attacks that struck an Oregon technology company and five other U.S. targets.

Karen Serobovich Vardanyan admitted to deploying Ryuk ransomware, which encrypts files until victims pay a ransom, against five companies and a private school between March 2019 and September 2020, according to the U.S. Attorney's Office for the District of Oregon.

The Oregon victim, described by federal prosecutors as "a technology company operating in Oregon," had at least 15 workstations compromised and company credentials and data stolen. Prior news accounts reported by OregonLive linked the attack to a Norsk Hydro plant in the Portland area that was forced to switch to manual operations in 2019. Prosecutors have not publicly confirmed that connection. The plant did not pay the ransom.

$15 million extortion scheme

Vardanyan and three accomplices accessed hundreds of computer servers and workstations across the six targets in Oregon, Virginia, Michigan, Pennsylvania, California, and Texas, federal prosecutors said.

The group collected approximately 1,610 Bitcoin, worth about $15 million, through their extortion scheme, according to the U.S. government. In one case, a Michigan company paid 200 Bitcoin valued at $1.1 million to restore network access. A Pennsylvania company paid 1,300 Bitcoin after 100 servers were compromised in September 2020.

As part of his plea agreement, Vardanyan agreed to pay more than $1.1 million in restitution. He faces sentencing Tuesday, September 22, in Portland federal court.

Three co-conspirators not in custody

Vardanyan was extradited from Ukraine to the United States in 2025. Three alleged accomplices have not been taken into custody: Levon Georgiyovych Avetisyan, an Armenian national believed to be in France, and two Ukrainian nationals, Oleg Nikolayevich Lyulyava and Andrii Leonydovich Prykhodchenko.

No other defendants have been convicted in the case, according to court records. With three alleged accomplices still free, the U.S. Attorney's Office has not indicated the investigation is closed.

Businesses that suspect a ransomware attack can contact the FBI's Portland field office or file a complaint with the FBI's Internet Crime Complaint Center at ic3.gov.