Threats & attacks

What Is Ransomware?

The business guide to ransomware: how attacks work, what they cost and the controls that decide whether you recover.

At a glance
  • What it is: malware that encrypts your systems, usually after stealing your data, then demands payment for both.
  • Who it targets: everyone, but hardest on smaller organisations: 88% of SMB breaches involved ransomware in 2025 (Verizon).
  • How it gets in: unpatched internet-facing systems, stolen logins and phishing.
  • The one control: a tested backup the attacker cannot reach, MFA on everything remote, and never pay (CERT-SE).
Key takeaways
  • Ransomware appeared in 44% of breaches in Verizon’s 2025 report, up from 32% the year before, and in 88% of breaches at small and medium businesses.
  • Claimed attacks rose about 50% in 2025 to a record, yet only 28% of victims paid, an all-time low (Chainalysis, 2026).
  • The mean recovery cost, excluding any ransom, was 1.53 million dollars in 2025 (Sophos).
  • Exploited vulnerabilities were the most common technical root cause in 2025 (Sophos), so patch VPNs and other edge systems first.
  • Most attacks steal data before encrypting, which means backups end the outage but not the extortion.
  • The ransom note is the last step: attackers typically spend days or weeks inside first, and that quiet phase is your detection window.
  • Sweden’s biggest incidents, Coop (2021), Tietoevry (2024) and Miljödata (2025), all arrived through suppliers, two of them over a weekend.
  • Cybersäkerhetslagen (SFS 2025:1506) has required 24-hour incident reporting to MCF (formerly MSB) and made boards accountable since 15 January 2026.
  • CERT-SE and Polisen say never pay; offline tested backups and MFA are the controls that decide the outcome.

What Is Ransomware?

Ransomware is malicious software that locks an organisation out of its own systems and data, usually by encrypting files, until a ransom is paid. Most modern attacks also steal data first and threaten to publish it, so the criminals get paid even when victims restore from backups.

That second part is what changed the crime. Ten years ago ransomware was an IT outage. Today it is an outage, a data breach and a public extortion campaign rolled into one, run by organised groups with negotiators, leak sites and customer support portals.

The scale is no longer a niche concern. Ransomware appeared in 44% of the breaches analysed in Verizon’s 2025 Data Breach Investigations Report, up from 32% the year before, and in 88% of breaches at small and medium businesses. Blockchain analysts at Chainalysis counted a record number of claimed attacks in 2025, up about 50% year on year, even as the share of victims who paid fell to an all-time low of 28%. Fewer victims pay, so the gangs compensate with volume.

Sweden is not watching from the sidelines. In August 2025 a single ransomware attack on the HR supplier Miljödata disrupted roughly 200 of Sweden’s 290 municipalities and regions in one weekend. This guide explains how these attacks work, what they cost, the cases every Swedish decision maker should know and the controls that actually decide the outcome.

How a Ransomware Attack Works

The ransom note is the last step of the attack, not the first. By the time files stop opening, the criminals have usually been inside the network for days or weeks. Understanding the quiet phase is what makes ransomware attacks stoppable.

It starts with access. There are three main doors: an unpatched vulnerability in something facing the internet, a stolen or phished login, or a malicious email attachment. Sophos’s 2025 survey of 3,400 victims found exploited vulnerabilities the most common technical root cause, ahead of compromised credentials and phishing, and Verizon recorded a 34% rise in vulnerability exploitation, concentrated on VPNs and other edge devices. The Tietoevry attack that disrupted Swedish payroll in 2024 came through a VPN flaw that had been patched by the vendor four months earlier.

Then comes the quiet work. The intruders escalate to administrator rights, switch off or uninstall security tools, map the network and locate the backups. Backups are deleted or encrypted first, because a victim who can restore is a victim who will not pay. In parallel, the most valuable data is copied out of the network for the extortion that follows.

Only then does the loud part happen, and almost always at the worst possible hour. Encryption is typically triggered at night or over a weekend, when nobody is watching. Miljödata was hit on a Saturday in August 2025; Tietoevry during the night of 19 to 20 January 2024. Servers and workstations are encrypted in minutes, a note appears with a link to a negotiation portal, and a countdown starts on the gang’s leak site.

Why has this become so easy? Because it is an industry. Ransomware-as-a-service platforms supply the malware and the negotiation infrastructure, while initial access brokers sell ready-made footholds into company networks. Chainalysis reports the average price of that access fell from about 1,427 dollars in early 2023 to 439 dollars in early 2026. The skill now sits in the platform, not the attacker, and that is the uncomfortable truth behind the record attack numbers.

Types of Ransomware Attack

The types of ransomware matter less for the labels than for what each one enables. Six patterns cover almost everything you will meet.

  • Crypto ransomware. The classic form: files and systems are encrypted and a payment is demanded for the key. WannaCry in 2017 was pure crypto ransomware, and it remains the core of most attacks today.
  • Locker ransomware. Locks the whole device or screen without encrypting individual files. Cruder, easier to recover from and now mostly aimed at consumers rather than organisations.
  • Double extortion. Data is stolen before encryption, and the gang demands payment both to unlock systems and to withhold publication. This is the default model today, and it is why backups alone no longer end the incident.
  • Extortion-only attacks. Some groups now skip encryption entirely and simply steal data and threaten to leak it. Still a small share, but growing: in Sophos’s retail data the proportion tripled between 2023 and 2025.
  • Ransomware as a service (RaaS). Not a strain but the business model behind most strains. A core gang rents its malware, infrastructure and negotiation portal to affiliates who carry out the attacks. Qilin, the most active operation of 2025 with more than 800 claimed victims, pays affiliates 80% of ransoms up to 3 million dollars and 85% above that, according to Group-IB research. When police disrupted LockBit in February 2024, its affiliates simply migrated to rivals such as Qilin and Akira, the latter of which CISA says has collected around 244 million dollars.
  • Wipers in disguise. Occasionally the ransom note is theatre and the goal is destruction. NotPetya in June 2017 looked like ransomware but offered no real recovery; shipping giant Maersk put its cost at as much as 300 million dollars.

In practice the taxonomy overlaps, and the same controls counter all of it. What matters is recognising that the criminal on the other end is running a business with margins, staff and a sales funnel.

Business Impact

The ransom is rarely the biggest number. The real cost of a ransomware attack arrives through five distinct mechanisms, and each one deserves its own line in the risk register.

Downtime. When Coop’s checkout systems were encrypted in 2021, most of its roughly 800 stores simply could not take payment. Recovery speed varies enormously: in Sophos’s 2025 survey 53% of victims were fully back within a week, up from 35% the year before, but 18% needed more than a month.

Recovery cost. Sophos puts the mean cost of recovering from an attack, excluding any ransom, at 1.53 million dollars in 2025, down from 2.73 million the year before as organisations respond faster. That covers rebuilding systems, people time, lost business and external specialists.

The ransom itself. Verizon’s 2025 report found a median payment of 115,000 dollars across all victims, while Sophos, whose sample covers organisations with 100 to 5,000 employees, recorded a median payment of 1 million dollars. Demands are negotiable: 53% of Sophos respondents who paid settled below the initial ask.

Regulatory exposure. A ransomware attack in Sweden almost always triggers legal duties, and failures carry fines of up to 10 million euros or 2% of global turnover for essential entities under NIS2, alongside GDPR sanctions if personal data is mishandled. The next section covers the deadlines.

Human and outlier cost. Averages hide the tail. The 2024 attack on NHS supplier Synnovis contributed to a patient’s death, the first officially confirmed in the UK. The August 2025 attack on Jaguar Land Rover caused an estimated 2.5 billion dollars in damage, the costliest cyber incident in British history according to figures cited by Chainalysis. No spreadsheet line captures what those numbers mean, and pretending the tail cannot reach you is not a strategy.

Real-World Cases

Five named cases explain modern ransomware better than any definition, and three of them are Swedish. Each ends with the one control that would have changed the outcome.

WannaCry ransomware, May 2017. A self-spreading worm infected around 200,000 computers in 150 countries in days, according to Europol. In the UK it disrupted at least 80 of 236 NHS trusts, cancelled some 19,000 appointments and cost an estimated 92 million pounds; no NHS body paid. The exploit it used, EternalBlue, had been patched by Microsoft two months earlier, and the US and UK later attributed the attack to North Korea. The control: patching. WannaCry only worked on machines nobody had updated.

Coop and Kaseya, July 2021. The REvil gang pushed ransomware through Kaseya’s VSA management software to IT providers worldwide and demanded 70 million dollars for a universal decryptor. Coop was not even a Kaseya customer, but its point-of-sale supplier was, and most of Coop’s roughly 800 Swedish stores closed because the tills would not work; stores were back within about six days. The control: supplier risk management, and the ability to keep trading when one supplier fails.

Tietoevry and Akira, January 2024. During the night of 19 to 20 January, Akira affiliates encrypted part of a Tietoevry datacentre in Sweden. The Primula payroll system used by more than 30 government authorities and most Swedish universities went down, along with Filmstaden’s ticketing, retailer Rusta and healthcare records in Uppsala County. The entry point was a Cisco VPN vulnerability patched four months earlier, in a campaign that targeted VPN accounts without multi-factor authentication. The control: patch the VPN and enforce MFA on it. Either would likely have stopped it.

Synnovis and Qilin ransomware, June 2024. Qilin affiliates hit the pathology provider for south-east London’s hospitals on 3 June 2024. NHS England recorded 10,152 postponed outpatient appointments and 1,710 postponed procedures; a 50 million dollar demand was refused and about 400 GB of patient data was published. Synnovis reported costs above 32 million pounds, and in June 2025 King’s College Hospital confirmed that a delayed blood test result caused by the attack contributed to a patient’s death. The control: tested continuity plans for critical suppliers, including a manual fallback that keeps core services running.

Miljödata, August 2025. Attackers hit the HR systems supplier used by about 80% of Swedish municipalities, detected on Saturday 23 August. Roughly 200 of Sweden’s 290 municipalities and regions lost access to systems handling medical certificates, rehabilitation plans and workplace injuries, and the extortionists demanded 1.5 bitcoin. When payment was refused, data on more than 1.5 million people was published on the darknet, a figure confirmed by the Swedish Prosecution Authority. The control: security requirements in supplier contracts, and holding suppliers to a minimum on what personal data they store.

Notice the pattern. None of these was defeated or enabled by exotic technology. Every one turned on basics: a missing patch, a missing MFA prompt, an unwatched weekend or an unexamined supplier.

Ransomware and Compliance

In Sweden, how you prepare for and respond to ransomware is now written into law. Four regimes matter, and the clock on each starts the moment you detect the incident.

NIS2 and Cybersäkerhetslagen. Sweden’s new cybersecurity law (SFS 2025:1506) has been in force since 15 January 2026 and transposes the EU’s NIS2 Directive. Article 21 requires exactly the measures that decide ransomware outcomes: continuous monitoring (21.2a), incident handling (21.2b), business continuity and backups (21.2c), supply-chain security (21.2d) and security awareness training (21.2g). Article 20 makes the board personally accountable for approving and overseeing these measures. After an incident, covered organisations must send an early warning to MCF (formerly MSB) and their sector authority within 24 hours, a full notification within 72 hours and a final report within one month. Fines reach 10 million euros or 2% of global turnover for essential entities, and 7 million euros or 1.4% for important entities. Our NIS2 compliance guide covers who is in scope and how to prepare.

GDPR. Because most attacks now involve data theft, a ransomware incident is usually also a personal data breach. Article 33 requires notification to IMY within 72 hours, and even pure encryption can qualify, since losing access to personal data is itself a breach of availability. See our guide to GDPR compliance in Sweden.

DORA. Financial entities face stricter, parallel duties. DORA’s Article 17 requires a full ICT incident management process, supervised in Sweden by Finansinspektionen. Our DORA compliance guide explains the overlap with NIS2.

ISO 27001. Not a law, but the framework auditors, insurers and large customers expect, and its controls map directly onto the defences in the next sections. See ISO 27001 for Swedish organisations.

The practical consequence: reporting readiness is part of ransomware defence. If your first hours are spent finding out who calls MCF, you have already lost them.

How to Spot a Ransomware Attack

Be honest about what spotting means. Once a ransom note appears, detection has failed; the note is the end of the attack. The real opportunity is the quiet phase before encryption, and it shows up in signals like these.

  • New administrator accounts, or existing accounts suddenly gaining privileges.
  • Endpoint protection or EDR tools switched off, reconfigured or uninstalled.
  • Remote-access tools your organisation never approved appearing on systems. CISA notes Akira intrusions use tools such as AnyDesk and LogMeIn to mimic administrators.
  • Backup jobs failing, snapshots vanishing or shadow copies being deleted.
  • Unusually large outbound data transfers to unfamiliar destinations, the signature of exfiltration.
  • Logins at odd hours or from unexpected places, and bursts of PowerShell or scanning between servers, both on CERT-SE’s watch list.

For everyone outside IT, the late signs still matter: files that will not open or carry strange new extensions, a text file or wallpaper demanding payment, or a colleague’s machine locking up. The right response is to report it within minutes and disconnect the machine, not to reboot and hope.

The encouraging news is that early detection works. Sophos found only 50% of attacks in 2025 ended in data encryption, a six-year low, because more victims caught the intruders during the quiet phase. The hard part is that the quiet phase runs at 03:00 on a Saturday, which is an argument for around-the-clock monitoring rather than optimism.

How to Defend Against Ransomware

Every case above was decided by basics. Here is the defence that would have changed each of them, in the order to do it.

  • Patch what faces the internet first. VPNs, firewalls, remote access and backup servers before anything else. Set a days-not-months deadline for critical fixes; the flaw that opened Tietoevry had been patched by the vendor four months earlier.
  • Enforce MFA on every remote login and admin account. Prefer phishing-resistant methods for the most sensitive access, as CERT-SE recommends. A stolen password should never be enough to enter your network.
  • Keep one backup the attacker cannot reach. At least one copy offline or immutable, because intruders with admin rights hunt backups first. Test restoring regularly, and after an incident verify backups are clean before you restore from them.
  • Segment the network and trim privileges. One stolen login should open one room, not the whole building. Least privilege limits how far the quiet phase can spread.
  • Watch around the clock. Endpoint detection tools only help if someone acts on the alert, and Sweden’s biggest incidents landed on weekends. If you cannot staff 24/7 detection yourself, use a managed detection and response service.
  • Put security in supplier contracts. Require patching, MFA, incident notification deadlines and data minimisation from every supplier that touches your systems or data. Coop and 200 Swedish municipalities were hit through suppliers, not their own networks.
  • Train people and rehearse the plan. Staff who report a phishing mail or a locked screen within minutes buy your responders the window that matters. Rehearse the incident plan, including manual fallbacks and who notifies MCF, Polisen and IMY.
  • Decide the ransom question now, not at 04:00. CERT-SE’s position is to never pay: there is no guarantee systems are restored, files are decrypted or the attacker will not return, and Polisen adds that every payment funds organised crime. Check the No More Ransom project for free decryptors before considering anything else.

Start this week with the two controls that decided every case in this guide: patch what faces the internet, and put one tested backup where no attacker can reach it. Ransomware gangs pick the unready, so make yourself a bad pick.

Myths & Facts

Myth

Ransomware only hits big companies.

Paying the ransom ends the incident.

Good backups make you immune.

Antivirus will catch it.

An attack happens in an instant.

Ransomware is fading because payments fell.

Fact

The opposite. Verizon's 2025 report found ransomware in 88% of breaches at small and medium businesses, against 39% at large enterprises. Smaller organisations are targeted precisely because their defences are thinner.

CERT-SE warns there is no guarantee systems are restored, files are decrypted or the attacker will not return with new demands. Paying also marks you as an organisation that pays.

Backups get you running again, but most gangs steal data before encrypting and extort you with publication. Attackers also hunt backup servers first, so copies must be offline and tested.

Attackers log in through unpatched VPNs or with stolen credentials, then disable security tools before encrypting. Sophos found exploited vulnerabilities the most common technical root cause in 2025.

The encryption is instant. The attack is not. Criminals typically spend days or weeks inside first, escalating privileges, deleting backups and stealing data. That quiet period is your detection window.

The payment rate fell to an all-time low of 28% in 2025, but claimed attacks rose about 50% to a record (Chainalysis). The gangs adapted by hitting more, smaller victims.

Test Yourself

Four real-world scenarios, then six knowledge questions. See how prepared you would be under pressure.

Scenario simulation

  1. Monday 07:40. Files across the file server will not open, a payment demand sits on every desktop and IT reports the backup jobs were deleted on Friday night.

    What is your first move?

    • Pay quickly while the demand is still low
    • Isolate affected systems and activate the incident response plan
    • Reboot all servers to clear the infection
    • Tell staff to keep working on local files until IT solves it
  2. Your firewall vendor released a critical patch for the VPN three weeks ago. It is still not installed because the next maintenance window is in a month.

    What do you do?

    • Wait for the scheduled window to avoid disruption
    • Raise an emergency change and patch now
    • Rely on antivirus to block anything that gets in
    • Block foreign IP addresses and call it handled
  3. The supplier that runs your HR system emails: they have an ongoing IT disruption and cannot say more. It is Saturday morning.

    How do you respond?

    • Wait for the supplier to sort out their own problem
    • Activate your supplier-incident checklist: establish what data of yours is affected, prepare IMY and MCF notifications and warn staff about phishing
    • Delete your local copies of supplier data as a precaution
    • Post a reassuring statement that no data was affected
  4. An email arrives with samples of genuinely stolen internal files. Nothing is encrypted. The sender demands payment or the data goes public.

    What now?

    • Pay to make it go away quietly
    • Treat it as a breach: verify the sample, isolate the leak path, and report to Polisen and IMY within the deadlines
    • Ignore it, extortion emails are usually bluffs
    • Negotiate for time indefinitely without involving anyone

Knowledge test

  1. What share of breaches in Verizon's 2025 report involved ransomware?

    • 32%
    • 44%
    • 64%
    • 88%

    44% of breaches involved ransomware, up from 32% the year before; among small and medium businesses it was 88%.

  2. What does double extortion mean?

    • Two gangs attack the same victim
    • Data is stolen before encryption and publication is threatened
    • The ransom doubles every day
    • Two ransom notes are left

    The gang steals data first, then demands payment both to unlock systems and to withhold publication.

  3. What was the most common technical root cause of attacks in Sophos's 2025 survey?

    • Exploited vulnerabilities
    • USB sticks
    • Insider theft
    • Guessed Wi-Fi passwords

    Exploited vulnerabilities led, ahead of compromised credentials and phishing, which is why patching internet-facing systems comes first.

  4. Why did WannaCry spread so widely in 2017?

    • It used a flaw with no available fix
    • A fix had existed for two months but was widely uninstalled
    • Victims spread it by paying
    • It travelled through paper records

    Microsoft patched the EternalBlue flaw in March 2017, two months before the attack; unpatched machines did the spreading.

  5. Under Cybersäkerhetslagen, how quickly must a covered organisation send an early warning after a significant incident?

    • 24 hours
    • 72 hours
    • One week
    • One month

    The cascade is 24 hours for the early warning, 72 hours for the full notification and one month for the final report.

  6. What is CERT-SE's position on paying a ransom?

    • Pay if the demand is small
    • Never pay
    • Pay only through insurance
    • Pay after 30 days

    CERT-SE says never pay: there is no guarantee of restoration or decryption, and the attacker may return with new demands.

Take it with you

Share the Summary PDF with Your Team

A short distilled brief in PDF: key findings, red flags and action steps.

Download summary PDF

Why Training Matters

Phishing and stolen credentials sit alongside unpatched systems as the main ways ransomware gets in, and both run through people. A member of staff who recognises a phishing mail, questions an odd login prompt or reports a locked screen within minutes hands your responders the pre-encryption window that decides the whole incident.

Under NIS2 and Cybersäkerhetslagen this is also a legal matter: Article 21.2g makes security awareness training a required measure, and Article 20 holds the board accountable for it. eBuilder Security’s security awareness training teaches staff to recognise the openings ransomware needs and gives them a simple way to report in time.

Frequently Asked Questions

What is ransomware in simple terms?

Ransomware is malicious software that locks you out of your own systems and data, usually by encrypting files, until you pay the attacker. Most modern gangs also steal the data first and threaten to publish it, which is why a ransomware attack is treated as both an outage and a data breach.

How do most ransomware attacks start?

Most ransomware attacks start with an exploited vulnerability, a stolen login or a phishing email. Sophos's 2025 survey found exploited vulnerabilities the most common technical root cause, and Verizon recorded a 34% rise in exploitation, focused on VPNs and other edge devices. Patching and multi-factor authentication close those doors.

What is ransomware as a service?

Ransomware as a service is a business model where a core gang rents its malware, infrastructure and negotiation portal to affiliates who carry out the attacks. Qilin, the most active operation of 2025, pays affiliates 80 to 85% of each ransom, which explains how one strain can hit hundreds of victims a year.

What was the WannaCry attack?

WannaCry was a ransomware worm that infected around 200,000 computers in 150 countries on 12 May 2017, including large parts of the UK's NHS. It spread through a Windows flaw Microsoft had patched two months earlier, and the UK government later put the NHS cost at 92 million pounds. The lesson is patching.

What is Qilin ransomware?

Qilin is a ransomware-as-a-service operation, active since 2022, that became the most prolific group of 2025 with more than 800 claimed victims. Its affiliates attacked NHS pathology provider Synnovis in June 2024, postponing over 10,000 appointments, and a patient death was later linked to the disruption.

What is double extortion?

Double extortion means the attackers steal your data before encrypting it, then demand payment both to unlock systems and to stop the stolen files being published. It is now the standard model, and it is why good backups, while essential, no longer make the extortion problem go away on their own.

Should a company ever pay the ransom?

Swedish authorities say no. CERT-SE's guidance is to never pay, because there is no guarantee systems are restored, files are decrypted or the attacker will not return, and Polisen notes every payment funds organised crime. In 2025 only 28% of victims worldwide paid, an all-time low.

Can encrypted files be recovered without paying?

Often, yes. Sophos found 97% of organisations that had data encrypted recovered some of it, through backups, rebuilt systems or previously leaked decryption keys. The No More Ransom project, backed by Europol and Polisen, publishes free decryptors for some strains. Recovery depends on clean, offline backups the attacker never reached.

How long does it take to recover from a ransomware attack?

In Sophos's 2025 survey, 53% of victims fully recovered within a week, up from 35% the year before, while 18% needed more than a month. The spread depends almost entirely on preparation: tested offline backups, a rehearsed incident plan and around-the-clock detection shorten recovery from months to days.

What must Swedish organisations report after a ransomware attack?

Organisations covered by Cybersäkerhetslagen must send an early warning to MCF (formerly MSB) and their sector authority within 24 hours, a full notification within 72 hours and a final report within one month. If personal data is affected, GDPR Article 33 separately requires notifying IMY within 72 hours.

Get a 30-Minute Security Briefing. No Pitch Deck.

Talk to a Sweden-based analyst. We'll review your posture, map your NIS2 gaps, and give you a clear picture of where you stand, in plain language.

Book a Free Briefing
No commitment Sweden-based analyst

How eBuilder Security Can Help

Awareness is the first layer. These are the services that turn it into measurable protection.