In December 2021, Nordic Choice Hotels, a major Scandinavian hotel chain, fell victim to a Conti ransomware attack, severely disrupting operations across multiple locations. The attack encrypted critical systems, forcing the company to halt bookings, check-ins, and other essential services for an extended period. While the exact financial losses were not disclosed, the operational downtime—especially during peak travel seasons—resulted in significant revenue loss, reputational damage, and recovery costs. The Conti group, known for its double-extortion tactics, likely exfiltrated sensitive guest and corporate data before encrypting systems, though no public confirmation of data leaks specific to Nordic Choice was detailed. The attack underscored the vulnerability of the hospitality sector to ransomware, particularly when targeting centralized IT infrastructure. Conti’s exploitation of high-profile vulnerabilities (e.g., Log4j) and aggressive negotiation tactics exacerbated the crisis, aligning with their broader campaign against global critical infrastructure.
Source: https://hackread.com/ukraine-conti-ransomware-extradite-us-ireland/
TPRM report: https://www.rankiteo.com/company/nordicchoice
"id": "nor5732257103125",
"linkid": "nordicchoice",
"type": "Ransomware",
"date": "12/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'public administration',
'location': 'Louisiana, USA',
'name': 'Fourth District Court of Louisiana',
'type': 'government/judicial'},
{'industry': 'primary/secondary education',
'location': 'Fort Lauderdale, Florida, USA',
'name': 'Broward County Schools',
'type': 'education'},
{'industry': 'hospitality',
'location': 'Scandinavia (Norway, Sweden, Denmark, '
'Finland)',
'name': 'Nordic Choice Hotels',
'type': 'private'},
{'industry': 'food manufacturing',
'location': 'United Kingdom',
'name': 'KP Snacks',
'size': 'second-largest snack maker in the UK',
'type': 'private'},
{'industry': 'energy/manufacturing',
'location': 'Germany',
'name': 'Nordex',
'type': 'private'},
{'customers_affected': ['high-profile clients, '
'including members of royal '
'families (Saudi Arabia, UAE, '
'Qatar)'],
'industry': 'luxury retail (jewelry)',
'location': 'United Kingdom',
'name': 'Graff',
'type': 'private'}],
'attack_vector': ['exploitation of vulnerabilities (Log4j, ProxyShell)',
'phishing/social engineering (likely)',
'malware distribution'],
'customer_advisories': ['Graff issued notifications to affected high-profile '
'clients (2021)'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'number_of_records_exposed': ['thousands (Graff breach)',
None],
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (includes PII of royal family '
'members and luxury clients)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'corporate data',
'client records (including '
'high-profile individuals)']},
'date_publicly_disclosed': '2024-09-10',
'description': 'A Ukrainian national, Oleksii Oleksiyovych Lytvynenko, '
'accused of helping run the Conti ransomware operation, has '
'been extradited from Ireland to the US to face charges. The '
'Conti group conducted over 1,000 attacks globally between '
'2020 and 2022, extorting approximately $150 million in ransom '
'payments. Lytvynenko allegedly managed stolen data and sent '
'ransom notes during attacks. The group exploited '
'vulnerabilities like Log4j and ProxyShell, targeting '
'high-profile entities such as Graff, KP Snacks, Nordex, '
'Nordic Choice Hotels, Broward County Schools, and the Fourth '
'District Court of Louisiana. An insider leak in 2022 exposed '
"internal operations, leading to the group's fragmentation. "
'Lytvynenko faces charges of conspiracy to commit computer '
'fraud and wire fraud, with potential penalties of up to 25 '
'years in prison.',
'impact': {'brand_reputation_impact': ['severe (high-profile targets, '
'including luxury brands and public '
'sector entities)',
'public apology issued after Graff '
'data leak'],
'data_compromised': True,
'downtime': True,
'financial_loss': '$150,000,000 (total ransom payments collected '
'by Conti)',
'identity_theft_risk': ['high (PII of high-profile clients exposed '
'in Graff breach)'],
'legal_liabilities': ['ongoing legal proceedings against '
'Lytvynenko',
'potential fines/penalties for affected '
'entities'],
'operational_impact': True,
'systems_affected': True},
'initial_access_broker': {'backdoors_established': True,
'entry_point': ['exploited vulnerabilities (Log4j, '
'ProxyShell)',
'phishing/social engineering '
'(likely)'],
'high_value_targets': ['luxury retailers (Graff)',
'critical infrastructure',
'public sector (courts, '
'schools)',
'manufacturing (Nordex, KP '
'Snacks)']},
'investigation_status': "ongoing (Lytvynenko's trial pending; broader Conti "
'investigations continue)',
'lessons_learned': ['Insider threats can significantly disrupt cybercriminal '
'operations (e.g., m1Geelka leak).',
'Exploitation of widely known vulnerabilities (e.g., '
'Log4j, ProxyShell) remains a major attack vector.',
'High-profile targets increase reputational and legal '
'risks for ransomware groups.',
'International law enforcement collaboration is critical '
'for dismantling cybercrime networks.'],
'motivation': ['financial gain', 'cybercrime'],
'post_incident_analysis': {'corrective_actions': ['International law '
'enforcement collaboration '
'(e.g., Operation Endgame) '
'to dismantle ransomware '
'infrastructure.',
'Prosecution of key Conti '
'members (e.g., Lytvynenko) '
'to disrupt operations.',
'Public disclosure of '
"Conti's tactics to raise "
'awareness and improve '
'defenses.',
'Encouragement for '
'organizations to adopt '
'zero-trust architectures '
'and multi-factor '
'authentication.'],
'root_causes': ['Exploitation of unpatched '
'vulnerabilities in widely used '
'software (Log4j, ProxyShell).',
'Lack of robust cybersecurity '
'measures in targeted '
'organizations (e.g., Broward '
'County Schools, Nordic Choice '
'Hotels).',
'Sophisticated social engineering '
'and malware distribution tactics '
'by Conti actors.',
'Internal disputes and '
'underpayment of affiliates led to '
'insider leaks (m1Geelka).']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_paid': '$150,000,000 (total across all Conti attacks)',
'ransomware_strain': 'Conti'},
'recommendations': ['Organizations should prioritize patching known '
'vulnerabilities (e.g., Log4j, ProxyShell) to prevent '
'ransomware attacks.',
'Implement robust data encryption and access controls to '
'limit the impact of breaches.',
'Develop and test incident response plans to improve '
'recovery from ransomware attacks.',
'Monitor dark web and underground forums for leaked data '
'or threats.',
'Enhance employee training to detect phishing and social '
'engineering attempts.'],
'references': [{'date_accessed': '2024-09-10',
'source': 'US Department of Justice Press Release'},
{'source': 'FBI Estimates on Conti Ransomware Attacks'},
{'source': 'Operation Endgame (2025) Arrest Reports'}],
'regulatory_compliance': {'legal_actions': ['extradition and prosecution of '
'Oleksii Oleksiyovych Lytvynenko '
'(USA)',
'arrest of Conti/LockBit cryptor '
'developer (Ukraine, 2025)']},
'response': {'communication_strategy': ['public apology issued by Conti after '
'Graff breach',
"US DOJ press release on Lytvynenko's "
'extradition'],
'law_enforcement_notified': True,
'third_party_assistance': ['FBI',
'international law enforcement '
'(Ireland, Ukraine)',
'Operation Endgame (2025)']},
'threat_actor': 'Conti Ransomware Group',
'title': 'Conti Ransomware Group Member Arrested and Extradited to the US',
'type': ['ransomware', 'data breach', 'cyber extortion'],
'vulnerability_exploited': ['Log4j (CVE-2021-44228)',
'ProxyShell (CVE-2021-34473, CVE-2021-34523, '
'CVE-2021-31207)']}