ThommessenFlow Find people
Legal developments

Just in time for the holiday season – Insights into how ransomware groups operate

Getty Images 622180676

A recent report from cyber threat intelligence specialists PRODAFT provides insights into how the infamous ransomware group Conti, operates. These insights are especially valuable at a time of the year when the frequency of cyberattacks typically increase due to the holiday season, which is further exacerbated in light of the newly disclosed Log4j vulnerability.

Ransomware attacks, Log4j and Conti

Ransomware attacks are typically carried out by gaining unauthorized access to a company's IT systems and encrypting the company's data. This enables the threat actor to demand a ransom for decrypting the data, with payment to be effected by cryptocurrency. The perpetrator may also threaten to make the target company's data publicly available, if the ransom is not paid.

Java-based Log4j is one of the most popular software libraries used online and is accessed by hundreds of millions of devices globally. A critical security issue recently disclosed in Log4j has cybersecurity experts raising alarms about new ransomware being deployed via the vulnerability, which will take months to fix.

Conti is currently one of the major ransomware groups. The group is responsible for some of the largest ransomware attacks which have been carried out these last years, including the ransomware attack against Ireland's Health Service Executive and Department of Health. PRODAFT have been researching the group for months in collaboration with international law enforcement, and have shared their findings from the report with the Thommessen CyberHub in a closed briefing.


As further explained in the report, the researchers managed to detect a vulnerability in certain command and control servers which Conti uses (read the full, public version of the report here). This enabled them to gain valuable insights into Conti's operations, including how Conti carries out so-called "Semi-Automated Ransomware" (SAR) attacks. As opposed to "Fully Automated Ransomware" (FAR) attacks, SAR attacks have manual interactions/communications between the threat actors and their victims.

One of the report’s most significant findings, is that Conti operates on the basis of a "Ransomware-as-a-Service" (RaaS) model. Conti offers its affiliates malware, tools, user manuals as well as recommendations on which applications to use when carrying out ransomware attacks. As payment for its services, the key stakeholders at Conti (i.e. the RaaS owners) receive a share of the ransom which Conti's affiliates are paid from its victims.

The RaaS model has several implications that are remarkable from a legal standpoint. Firstly, the report indicates that the RaaS groups are operating in the manner of organized crime cartels by actively recruiting new affiliates and members. These affiliates are provided with training and state of the art malware and tools normally used only by governments and corporate cyber consultancies. As a result, the extended group is able to launch more frequent and sophisticated ransomware attacks.

Another valuable insight is how the group negotiates ransoms with their victims. Victims that try to retrieve their data and systems by other means than paying a ransom, are threatened by the perpetrator that they will make the victim's data publicly available, and thereby expose the company to loss of business, lawsuits and sanctions from regulators (e.g. for GDPR infringements). The criminals are, in other words, well aware of the commercial and regulatory landscape in which their victims operate, and that the potential legal consequences of a data breach often surpass the risk of loss of data.

Thommessen CyberHub – A one-stop-shop for cyberassurance services

Thommessen has created Thommessen CyberHub, where we have teamed up with international experts on cybersecurity and attack emulation to form a one-stop-shop for cyberassurance services for our clients. Through the Thommessen CyberHub we offer our clients access to tools and expertise to increase their understanding of the threat landscape, be better prepared and reduce their digital exposure. In the event of an incident, we provide practical and legal assistance to minimize the impact.

If you wish to learn more about Thommessen CyberHub and our cyberassurance offerings, please contact us at or!

Contact persons