Data Breaches

Vilhelmina and Dorotea Municipalities Hit by Ransomware Attack Amid Regional Wave

4 Min Read / April 16, 2026

Vilhelmina and Dorotea municipalities in Västerbotten were hit by ransomware attacks on April 9, 2026 forcing both councils to activate crisis protocols and revert to paper-based operations. Dorotea went into stabsläge, emergency mode, as attackers encrypted municipal systems overnight while Vilhelmina’s kommunchef Christer Staaf confirmed his municipality appears to be “part of a larger IT attack” affecting multiple councils across Sweden.

Both municipalities filed police reports according to SVT Västerbotten. Dorotea’s kommunchef Olli Joenväärä confirmed his council was hit by “a so-called ransomware attack” but said no ransom demand had been paid. Åsele municipality was also affected but in limited scope with internal system disruptions that did not impact public services.

The Attack Brought Municipal Services to a Halt

The immediate impact was severe across both municipalities. Vilhelmina’s website, e-services and telephone exchange all failed initially, though the exchange was restored by afternoon on April 9. Broadband services for municipal network customers were progressively shut down throughout the day as a containment measure. According to Staaf, “all municipal operations are running as usual” but social services faced the biggest disruption, unable to access critical systems despite maintaining internal communications and phone service.

Dorotea’s response focused on maintaining essential services including home care and childcare despite the systems outage. “We have to use pen and paper, it’s a bit more difficult, but we have trained for this for several years,” Joenväärä told SVT. The municipality’s broadband network remained unaffected allowing some continuity of operations while internal systems were rebuilt.

Recovery timeframes remain uncertain. Joenväärä warned that “from experience with other municipalities, it can take several weeks” to restore full functionality. The attacks highlight how dependent Swedish local government has become on digital infrastructure and how vulnerable that makes essential services when systems fail.

Part of a Broader Pattern Against Swedish Municipalities

The Västerbotten attacks follow a wave of ransomware incidents targeting Swedish local government. In August 2025, a ransomware attack on IT supplier Miljödata paralysed around 200 municipalities which is roughly 70% of Sweden’s total, when attackers encrypted HR systems used to manage sick leave, medical certificates and rehabilitation plans. That incident demonstrated the systemic risk created when multiple councils depend on a single IT supplier.

The Miljödata breach exposed how concentrated Sweden’s municipal IT infrastructure has become. Police confirmed attackers demanded 1.5 bitcoins (approximately €144,000) in that case, a relatively small ransom that suggested opportunistic criminals rather than major ransomware operations. No group claimed responsibility for either the Miljödata attack or the current Västerbotten incidents.

Swedish municipalities have become attractive targets partly because of their operational constraints. Unlike private companies, councils cannot simply shut down services when systems fail, they must maintain childcare, social services and other essential functions regardless of IT outages. That operational reality makes them willing to pay ransoms rather than endure extended downtime which criminal groups have learned to exploit.

What This Means for Other Swedish Councils

The pattern emerging across Swedish local government is clear, ransomware groups are systematically targeting municipal IT infrastructure because the combination of operational necessity and limited technical resources makes councils predictable targets. The Miljödata incident proved that supply chain attacks can cascade across dozens of municipalities simultaneously while the Västerbotten attacks show that direct targeting of individual councils remains effective.

Swedish municipalities that have not yet implemented robust offline backup systems and incident response protocols should treat these attacks as an early warning. The “pen and paper” contingency that Dorotea had already rehearsed may be the difference between maintaining essential services and complete operational shutdown when ransomware hits. Most importantly, councils should audit their IT supplier dependencies to understand whether a single breach could cascade across multiple critical systems.