Could Your Business Be Next? What the Ryuk Guilty Plea Reveals About “Initial Access”

July 13, 2026
by
Arjun Bhatnagar
deleteme

Most ransomware stories focus on the final punch: files encrypted, ransom note, chaos. This Ryuk guilty plea is a reminder that the real damage often starts earlier—when someone quietly buys their way into a network and hands the keys to the next crew. Prosecutors say Karen Serobovich Vardanyan helped deploy Ryuk after illegally accessing victim systems between November 2019 and April 2020 . One Michigan victim paid 200 BTC (over $1.1M at the time) . Total ransoms tied to the conspiracy: about 1,610 BTC (around $15M then) . He’s scheduled for sentencing in September 2026 , faces up to 15 years across two charges , and agreed to $1.1M+ restitution . If you run a business, the message is blunt: you don’t have to be “special” to be selected. You just have to be reachable.

What the DOJ story is really saying: “initial access” is a product

That “reachable” line in the intro isn’t dramatic. It’s the whole point.

In the Ryuk case, prosecutors say Karen Serobovich Vardanyan illegally accessed victim systems and helped deploy Ryuk ransomware across multiple U.S. organizations between November 2019 and April 2020 . One of those victims was a Michigan company that paid 200 BTC, worth more than $1.1 million at the time . The DOJ also says the conspiracy pulled in about 1,610 BTC total, valued at roughly $15 million back then .

The legal outcomes matter, too, because they show how law enforcement frames the role: Vardanyan was arrested in Kyiv in April 2025, extradited, and is scheduled for sentencing in September 2026  . He faces a maximum of 15 years across two charges and agreed to more than $1.1 million in restitution .

Now the defender takeaway: this wasn’t “random ransomware.” This is what the industry calls initial access.

Initial access, in plain English

Initial access is the first real foothold inside a business network. It’s how the attack goes from “outsider” to “authenticated user” or “remote session.” After that, ransomware operators can move fast.

Think of it like this:

  • Someone quietly gets in (credentials, remote access, a misstep)
  • They prove persistence (so they don’t lose the door they opened)
  • Then they hand it off so the ransomware crew can execute the loud part

That handoff is the scary part. It means access can function like a commodity. One person specializes in breaking in. Another specializes in deploying ransomware at scale. The victim sees one event (“we got hit by Ryuk”), but behind it can be a small supply chain.

Why this looks “repeatable,” not one-off

The DOJ description isn’t about a single machine. It’s about access that scaled to “hundreds of compromised servers and workstations” . That’s what happens when attackers don’t have to improvise their way into a network on the day of the attack. They show up after the groundwork is done.

This is why “initial access brokers” keep coming up in ransomware conversations. Whether the entry was a phish, stolen credentials, or exposed remote access, the business risk is the same: once someone else can buy or reuse entry, your organization becomes a target because it’s convenient—not because it’s famous.

Ryuk’s playbook (2018–2020): speed, scale, and COVID-era pressure

Once attackers have initial access, Ryuk’s advantage was what it did next: it turned one foothold into a business-stopping event, fast.

Ryuk was active from 2018 until mid-2020 and hit organizations across “nearly every sector,” including healthcare providers during the COVID-19 pandemic . That timing matters. During COVID, downtime wasn’t just expensive—it could put patient care and public-facing operations under real pressure. When your systems are tied to scheduling, billing, logistics, or clinical workflows, the “we’ll restore later” option starts to feel impossible.

What “high-impact ransomware” usually looks like after initial access

Most people picture ransomware as a single click that instantly encrypts a few laptops. Ryuk-era operations were closer to an internal takeover that ends with encryption as the final step.

A common sequence looks like this:

  1. Privilege escalation
  • The attacker tries to move from a basic user foothold to admin-level control.
  • This is where weak admin hygiene and over-permissioned accounts get punished.
  1. Credential capture and re-use
  • Once they grab more credentials, they stop “hacking” and start logging in like real staff.
  • That’s why so many ransomware incidents look normal in logs until they don’t.
  1. Lateral movement
  • They hop from the first system to file servers, app servers, and anything that helps them reach more of the environment.
  • The goal is breadth: more machines, more leverage.
  1. Targeting at scale
  • Prosecutors describe deployments on hundreds of compromised servers and workstations .
  • That scale doesn’t happen by accident. It implies time spent mapping your network and lining up a wide blast radius.
  1. Detonation
  • Encryption hits when it hurts most—after they’ve positioned themselves to take out the systems you rely on to operate.

The big lesson from Ryuk’s run is simple: ransomware “speed” is usually the result of quiet prep work. If you’re only looking for the ransom note, you’re watching the last 5 minutes of a job that started days earlier.

The ecosystem evolves: from Ryuk to Conti to splinter crews

Ryuk didn’t need to “win forever” to change the game. It just had to prove the model worked.

After Ryuk shut down in 2020, reporting notes that many members transitioned to the Conti ransomware operation . Conti then disbanded in 2022 after its internal chats and source code were leaked, and members splintered into numerous cybercrime groups, some still active .

That’s the part a lot of businesses miss. When a gang name disappears, the capability doesn’t. It relocates.

What this says about the “initial access” market

If the same people can move from Ryuk to Conti, and then break into smaller crews, it tells you the ecosystem is modular:

  • Access can be sourced separately from execution
  • Tooling and tactics get reused, tweaked, and rebranded
  • The “front door problems” (credentials, remote access, weak identity controls) stay valuable across every rebrand

So the initial access problem didn’t vanish when Ryuk faded. It spread across more hands.

Practical takeaway: stop defending against logos

If your security plan is “watch for Ryuk,” you’re already behind. Defend against the behaviors that show up across ransomware families:

  • Credential abuse: logins that don’t match normal user patterns
  • Remote access misuse: VPN/RDP access that’s too open, too trusted, or poorly monitored
  • Lateral movement: one machine becomes many, quickly, without a good business reason

A good mental shift is this: ransomware groups change names like contractors changing shirts. Your attack surface doesn’t get that luxury. It’s the same exposed login page, the same reused password, the same overpowered account—just a different crew taking advantage of it.

Cut off initial access: a tactical checklist that actually holds up

When crews can rebrand and splinter without slowing down, your best move is boring on purpose: shut down the common entry points and make the “easy path” expensive.

Here’s a prioritized checklist to reduce ransomware initial access risk.

1) Make stolen passwords less useful (phishing-resistant MFA)

If an attacker can log in, they don’t need malware at the front door.

  • Use phishing-resistant MFA for email, VPN, admin portals, and cloud consoles (hardware keys / passkeys where possible).
  • Block “MFA by push” fatigue: tighten prompts, add number matching, review impossible-travel alerts.
  • Turn on conditional access (new device, new country, risky sign-in = step-up auth or block).

2) Lock down remote access (RDP/VPN)

Initial access brokers love exposed remote services because they scale.

  • Don’t expose RDP to the public internet. If you absolutely must use it, gate it behind VPN and strict allowlists.
  • For VPN:
  • Require MFA
  • Remove legacy protocols
  • Limit who can log in and from where
  • Audit remote tools (remote support agents, admin consoles). Kill what you don’t need.

3) Patch what’s exposed, not what’s convenient

Patch management fails when it’s treated like a monthly ritual.

  • Prioritize anything internet-facing: VPN appliances, email gateways, edge firewalls, remote management.
  • Patch “high-value internal” next: domain controllers, virtualization hosts, backup servers.

4) Tighten identity and privilege (least privilege, for real)

Ransomware runs on overpowered accounts.

  • Separate admin accounts from daily work accounts.
  • Remove local admin where you can.
  • Rotate and protect service account secrets.
  • Watch for credential reuse across systems.

5) Detect the moves that happen before encryption (EDR + SIEM)

The DOJ described ransomware deployed across hundreds of servers and workstations in this Ryuk-linked activity . That kind of spread creates signals—if you’re looking.

  • EDR coverage on endpoints and servers (including domain controllers).
  • SIEM alerts for:
  • New admin creation
  • Sudden privilege changes
  • Remote login bursts
  • Lateral movement patterns (lots of SMB/WMI/PsExec-like behavior)
  • Centralize logs so attackers can’t wipe the story.

6) Segment to shrink the blast radius

Assume a foothold will happen. Design so it can’t become an org-wide event.

  • Separate workstations from servers.
  • Split critical apps (ERP/EHR/finance) into tighter zones.
  • Restrict east-west traffic; allow by need, not by habit.

7) Backups attackers can’t delete from inside your domain

Backups that live on the same trusted network often get wiped right before detonation.

  • Keep immutable or offline backups.
  • Protect backup admin accounts like crown jewels.
  • Test restores on a schedule. A backup you haven’t restored is a hope, not a control.

When prevention fails: the “first 60 minutes” plan

This is where teams either contain the incident—or help it spread.

  • Roles, written down: incident lead, IT ops, security, legal, comms, insurer contact.
  • Offline contact list: phone numbers and emails outside your domain.
  • Isolation playbook:
  • Pull affected machines from the network
  • Disable compromised accounts
  • Pause risky automation (like software deployment tools) until verified clean
  • Restore drills: practice rebuilding a critical system from bare metal to “business usable.”

A simple hygiene move that helps: disposable identities for vendor sign-ups

A quiet source of exposure is the long tail of vendor portals and SaaS trials created with employee emails and recycled passwords.

If your team signs up for lots of tools, using Cloaked-style masked emails and phone numbers for non-critical vendor accounts can reduce fallout from credential leaks and unwanted account takeovers. It’s not a security program by itself, but it’s practical hygiene: fewer real identifiers scattered across third parties means less mess when one of them gets breached.

The goal across all of this is straightforward: make initial access hard to get, and make it loud when someone tries.

View all

Can You Protect Your Voter File Privacy by Shrinking What’s Publicly Linked to You?

Data Breaches
by
Arjun Bhatnagar

Why Is Your Inbox Full of Campaign Emails—and How Can a Masked Email Stop It?

Data Breaches
by
Abhijay Bhatnagar

Was Your Driver Data Exposed in the AssuranceAmerica Breach—What Should You Do Next?

Data Breaches
by
Pulkit Gupta