What Is Ransomware?
Ransomware is malicious software that locks an organisation out of its own systems and data, usually by encrypting files, until a ransom is paid. Most modern attacks also steal data first and threaten to publish it, so the criminals get paid even when victims restore from backups.
That second part is what changed the crime. Ten years ago ransomware was an IT outage. Today it is an outage, a data breach and a public extortion campaign rolled into one, run by organised groups with negotiators, leak sites and customer support portals.
The scale is no longer a niche concern. Ransomware appeared in 44% of the breaches analysed in Verizon’s 2025 Data Breach Investigations Report, up from 32% the year before, and in 88% of breaches at small and medium businesses. Blockchain analysts at Chainalysis counted a record number of claimed attacks in 2025, up about 50% year on year, even as the share of victims who paid fell to an all-time low of 28%. Fewer victims pay, so the gangs compensate with volume.
Sweden is not watching from the sidelines. In August 2025 a single ransomware attack on the HR supplier Miljödata disrupted roughly 200 of Sweden’s 290 municipalities and regions in one weekend. This guide explains how these attacks work, what they cost, the cases every Swedish decision maker should know and the controls that actually decide the outcome.
How a Ransomware Attack Works
The ransom note is the last step of the attack, not the first. By the time files stop opening, the criminals have usually been inside the network for days or weeks. Understanding the quiet phase is what makes ransomware attacks stoppable.
It starts with access. There are three main doors: an unpatched vulnerability in something facing the internet, a stolen or phished login, or a malicious email attachment. Sophos’s 2025 survey of 3,400 victims found exploited vulnerabilities the most common technical root cause, ahead of compromised credentials and phishing, and Verizon recorded a 34% rise in vulnerability exploitation, concentrated on VPNs and other edge devices. The Tietoevry attack that disrupted Swedish payroll in 2024 came through a VPN flaw that had been patched by the vendor four months earlier.
Then comes the quiet work. The intruders escalate to administrator rights, switch off or uninstall security tools, map the network and locate the backups. Backups are deleted or encrypted first, because a victim who can restore is a victim who will not pay. In parallel, the most valuable data is copied out of the network for the extortion that follows.
Only then does the loud part happen, and almost always at the worst possible hour. Encryption is typically triggered at night or over a weekend, when nobody is watching. Miljödata was hit on a Saturday in August 2025; Tietoevry during the night of 19 to 20 January 2024. Servers and workstations are encrypted in minutes, a note appears with a link to a negotiation portal, and a countdown starts on the gang’s leak site.
Why has this become so easy? Because it is an industry. Ransomware-as-a-service platforms supply the malware and the negotiation infrastructure, while initial access brokers sell ready-made footholds into company networks. Chainalysis reports the average price of that access fell from about 1,427 dollars in early 2023 to 439 dollars in early 2026. The skill now sits in the platform, not the attacker, and that is the uncomfortable truth behind the record attack numbers.
Types of Ransomware Attack
The types of ransomware matter less for the labels than for what each one enables. Six patterns cover almost everything you will meet.
- Crypto ransomware. The classic form: files and systems are encrypted and a payment is demanded for the key. WannaCry in 2017 was pure crypto ransomware, and it remains the core of most attacks today.
- Locker ransomware. Locks the whole device or screen without encrypting individual files. Cruder, easier to recover from and now mostly aimed at consumers rather than organisations.
- Double extortion. Data is stolen before encryption, and the gang demands payment both to unlock systems and to withhold publication. This is the default model today, and it is why backups alone no longer end the incident.
- Extortion-only attacks. Some groups now skip encryption entirely and simply steal data and threaten to leak it. Still a small share, but growing: in Sophos’s retail data the proportion tripled between 2023 and 2025.
- Ransomware as a service (RaaS). Not a strain but the business model behind most strains. A core gang rents its malware, infrastructure and negotiation portal to affiliates who carry out the attacks. Qilin, the most active operation of 2025 with more than 800 claimed victims, pays affiliates 80% of ransoms up to 3 million dollars and 85% above that, according to Group-IB research. When police disrupted LockBit in February 2024, its affiliates simply migrated to rivals such as Qilin and Akira, the latter of which CISA says has collected around 244 million dollars.
- Wipers in disguise. Occasionally the ransom note is theatre and the goal is destruction. NotPetya in June 2017 looked like ransomware but offered no real recovery; shipping giant Maersk put its cost at as much as 300 million dollars.
In practice the taxonomy overlaps, and the same controls counter all of it. What matters is recognising that the criminal on the other end is running a business with margins, staff and a sales funnel.
Business Impact
The ransom is rarely the biggest number. The real cost of a ransomware attack arrives through five distinct mechanisms, and each one deserves its own line in the risk register.
Downtime. When Coop’s checkout systems were encrypted in 2021, most of its roughly 800 stores simply could not take payment. Recovery speed varies enormously: in Sophos’s 2025 survey 53% of victims were fully back within a week, up from 35% the year before, but 18% needed more than a month.
Recovery cost. Sophos puts the mean cost of recovering from an attack, excluding any ransom, at 1.53 million dollars in 2025, down from 2.73 million the year before as organisations respond faster. That covers rebuilding systems, people time, lost business and external specialists.
The ransom itself. Verizon’s 2025 report found a median payment of 115,000 dollars across all victims, while Sophos, whose sample covers organisations with 100 to 5,000 employees, recorded a median payment of 1 million dollars. Demands are negotiable: 53% of Sophos respondents who paid settled below the initial ask.
Regulatory exposure. A ransomware attack in Sweden almost always triggers legal duties, and failures carry fines of up to 10 million euros or 2% of global turnover for essential entities under NIS2, alongside GDPR sanctions if personal data is mishandled. The next section covers the deadlines.
Human and outlier cost. Averages hide the tail. The 2024 attack on NHS supplier Synnovis contributed to a patient’s death, the first officially confirmed in the UK. The August 2025 attack on Jaguar Land Rover caused an estimated 2.5 billion dollars in damage, the costliest cyber incident in British history according to figures cited by Chainalysis. No spreadsheet line captures what those numbers mean, and pretending the tail cannot reach you is not a strategy.
Real-World Cases
Five named cases explain modern ransomware better than any definition, and three of them are Swedish. Each ends with the one control that would have changed the outcome.
WannaCry ransomware, May 2017. A self-spreading worm infected around 200,000 computers in 150 countries in days, according to Europol. In the UK it disrupted at least 80 of 236 NHS trusts, cancelled some 19,000 appointments and cost an estimated 92 million pounds; no NHS body paid. The exploit it used, EternalBlue, had been patched by Microsoft two months earlier, and the US and UK later attributed the attack to North Korea. The control: patching. WannaCry only worked on machines nobody had updated.
Coop and Kaseya, July 2021. The REvil gang pushed ransomware through Kaseya’s VSA management software to IT providers worldwide and demanded 70 million dollars for a universal decryptor. Coop was not even a Kaseya customer, but its point-of-sale supplier was, and most of Coop’s roughly 800 Swedish stores closed because the tills would not work; stores were back within about six days. The control: supplier risk management, and the ability to keep trading when one supplier fails.
Tietoevry and Akira, January 2024. During the night of 19 to 20 January, Akira affiliates encrypted part of a Tietoevry datacentre in Sweden. The Primula payroll system used by more than 30 government authorities and most Swedish universities went down, along with Filmstaden’s ticketing, retailer Rusta and healthcare records in Uppsala County. The entry point was a Cisco VPN vulnerability patched four months earlier, in a campaign that targeted VPN accounts without multi-factor authentication. The control: patch the VPN and enforce MFA on it. Either would likely have stopped it.
Synnovis and Qilin ransomware, June 2024. Qilin affiliates hit the pathology provider for south-east London’s hospitals on 3 June 2024. NHS England recorded 10,152 postponed outpatient appointments and 1,710 postponed procedures; a 50 million dollar demand was refused and about 400 GB of patient data was published. Synnovis reported costs above 32 million pounds, and in June 2025 King’s College Hospital confirmed that a delayed blood test result caused by the attack contributed to a patient’s death. The control: tested continuity plans for critical suppliers, including a manual fallback that keeps core services running.
Miljödata, August 2025. Attackers hit the HR systems supplier used by about 80% of Swedish municipalities, detected on Saturday 23 August. Roughly 200 of Sweden’s 290 municipalities and regions lost access to systems handling medical certificates, rehabilitation plans and workplace injuries, and the extortionists demanded 1.5 bitcoin. When payment was refused, data on more than 1.5 million people was published on the darknet, a figure confirmed by the Swedish Prosecution Authority. The control: security requirements in supplier contracts, and holding suppliers to a minimum on what personal data they store.
Notice the pattern. None of these was defeated or enabled by exotic technology. Every one turned on basics: a missing patch, a missing MFA prompt, an unwatched weekend or an unexamined supplier.
Ransomware and Compliance
In Sweden, how you prepare for and respond to ransomware is now written into law. Four regimes matter, and the clock on each starts the moment you detect the incident.
NIS2 and Cybersäkerhetslagen. Sweden’s new cybersecurity law (SFS 2025:1506) has been in force since 15 January 2026 and transposes the EU’s NIS2 Directive. Article 21 requires exactly the measures that decide ransomware outcomes: continuous monitoring (21.2a), incident handling (21.2b), business continuity and backups (21.2c), supply-chain security (21.2d) and security awareness training (21.2g). Article 20 makes the board personally accountable for approving and overseeing these measures. After an incident, covered organisations must send an early warning to MCF (formerly MSB) and their sector authority within 24 hours, a full notification within 72 hours and a final report within one month. Fines reach 10 million euros or 2% of global turnover for essential entities, and 7 million euros or 1.4% for important entities. Our NIS2 compliance guide covers who is in scope and how to prepare.
GDPR. Because most attacks now involve data theft, a ransomware incident is usually also a personal data breach. Article 33 requires notification to IMY within 72 hours, and even pure encryption can qualify, since losing access to personal data is itself a breach of availability. See our guide to GDPR compliance in Sweden.
DORA. Financial entities face stricter, parallel duties. DORA’s Article 17 requires a full ICT incident management process, supervised in Sweden by Finansinspektionen. Our DORA compliance guide explains the overlap with NIS2.
ISO 27001. Not a law, but the framework auditors, insurers and large customers expect, and its controls map directly onto the defences in the next sections. See ISO 27001 for Swedish organisations.
The practical consequence: reporting readiness is part of ransomware defence. If your first hours are spent finding out who calls MCF, you have already lost them.
How to Spot a Ransomware Attack
Be honest about what spotting means. Once a ransom note appears, detection has failed; the note is the end of the attack. The real opportunity is the quiet phase before encryption, and it shows up in signals like these.
- New administrator accounts, or existing accounts suddenly gaining privileges.
- Endpoint protection or EDR tools switched off, reconfigured or uninstalled.
- Remote-access tools your organisation never approved appearing on systems. CISA notes Akira intrusions use tools such as AnyDesk and LogMeIn to mimic administrators.
- Backup jobs failing, snapshots vanishing or shadow copies being deleted.
- Unusually large outbound data transfers to unfamiliar destinations, the signature of exfiltration.
- Logins at odd hours or from unexpected places, and bursts of PowerShell or scanning between servers, both on CERT-SE’s watch list.
For everyone outside IT, the late signs still matter: files that will not open or carry strange new extensions, a text file or wallpaper demanding payment, or a colleague’s machine locking up. The right response is to report it within minutes and disconnect the machine, not to reboot and hope.
The encouraging news is that early detection works. Sophos found only 50% of attacks in 2025 ended in data encryption, a six-year low, because more victims caught the intruders during the quiet phase. The hard part is that the quiet phase runs at 03:00 on a Saturday, which is an argument for around-the-clock monitoring rather than optimism.
How to Defend Against Ransomware
Every case above was decided by basics. Here is the defence that would have changed each of them, in the order to do it.
- Patch what faces the internet first. VPNs, firewalls, remote access and backup servers before anything else. Set a days-not-months deadline for critical fixes; the flaw that opened Tietoevry had been patched by the vendor four months earlier.
- Enforce MFA on every remote login and admin account. Prefer phishing-resistant methods for the most sensitive access, as CERT-SE recommends. A stolen password should never be enough to enter your network.
- Keep one backup the attacker cannot reach. At least one copy offline or immutable, because intruders with admin rights hunt backups first. Test restoring regularly, and after an incident verify backups are clean before you restore from them.
- Segment the network and trim privileges. One stolen login should open one room, not the whole building. Least privilege limits how far the quiet phase can spread.
- Watch around the clock. Endpoint detection tools only help if someone acts on the alert, and Sweden’s biggest incidents landed on weekends. If you cannot staff 24/7 detection yourself, use a managed detection and response service.
- Put security in supplier contracts. Require patching, MFA, incident notification deadlines and data minimisation from every supplier that touches your systems or data. Coop and 200 Swedish municipalities were hit through suppliers, not their own networks.
- Train people and rehearse the plan. Staff who report a phishing mail or a locked screen within minutes buy your responders the window that matters. Rehearse the incident plan, including manual fallbacks and who notifies MCF, Polisen and IMY.
- Decide the ransom question now, not at 04:00. CERT-SE’s position is to never pay: there is no guarantee systems are restored, files are decrypted or the attacker will not return, and Polisen adds that every payment funds organised crime. Check the No More Ransom project for free decryptors before considering anything else.
Start this week with the two controls that decided every case in this guide: patch what faces the internet, and put one tested backup where no attacker can reach it. Ransomware gangs pick the unready, so make yourself a bad pick.