What Is Ransomware?
Ransomware is malicious software that blocks access to a computer system or its files, usually by encrypting them, until the victim pays the attacker. Many attacks now add a second threat: stealing the data first and threatening to publish it, even if the victim can restore everything from backup.
The first documented case predates the internet as most of us know it. In 1989 a biologist mailed infected floppy disks to attendees of a World Health Organization AIDS conference in Stockholm. The disks hid a victim’s file directories and demanded 189 dollars sent to a post box in Panama. Thirty-six years later, the same idea, deny access and demand payment, runs a criminal economy worth hundreds of millions of dollars a year.
What changed is who gets targeted and who is accountable. Ransomware used to be an IT incident. It is now a board-level risk. Under Sweden’s Cybersäkerhetslagen, the board itself can be held personally accountable for the security measures a company failed to take, and a ransomware attack is exactly the kind of incident that exposes those gaps in public.
How Ransomware Is Made
Most ransomware today is not built and deployed by a single group. It runs on a ransomware-as-a-service, or RaaS, model that splits the work into three roles. Operators write and maintain the ransomware and the infrastructure behind it. Affiliates rent or licence that software and carry out the actual attacks. Initial access brokers specialise in breaking into networks and selling that access on to affiliates, sometimes weeks before an attack takes place.
The economics are simple and effective. An affiliate pays a flat monthly fee, a one-off licence fee or a share of whatever ransom gets paid, commonly leaving the operator with roughly a fifth to two fifths of the proceeds and the affiliate the rest. Some platforms offer affiliates as much as four fifths of the ransom to attract experienced attackers. This division of labour is why IBM’s 2026 threat research counted 109 active ransomware and extortion groups in 2025, up from 73 the year before. Nobody needs to be a skilled malware author to run a ransomware campaign. They only need access, and access is for sale.
That access usually arrives through a small set of well-worn doors: a phishing email that harvests a password, a remote-desktop connection left open to the internet, an unpatched software vulnerability or credentials bought from an initial access broker. None of these require sophisticated hacking. They require one employee to click, or one server to be a patch cycle behind.
Types of Ransomware Attack
Ransomware is not one thing. The label covers several different attack styles, and knowing which one is in play changes how you respond.
- Crypto ransomware. The most common form. It encrypts files so they cannot be opened without a key the attacker holds.
- Locker ransomware. Locks the screen or device itself rather than the files, more common against individuals than organisations.
- Double extortion. Encrypts the data and steals a copy of it, so a clean backup no longer removes the pressure to pay.
- Triple extortion. Adds a further lever on top of double extortion, such as contacting the victim’s customers directly or threatening a denial-of-service attack.
- Leakware or doxware. Threatens to publish stolen data, sometimes without encrypting anything at all.
- Scareware. Fake security pop-ups that pressure a payment for a problem that does not exist, the least technically sophisticated form.
- Wipers. Destructive code disguised as ransomware. Files are corrupted or deleted whether or not the ransom is paid, and this variant is more often linked to state-backed disruption than ordinary crime.
Ransomware-as-a-service is not a type of payload. It is the delivery model behind most of the categories above, which is why the same affiliate network can run a crypto attack against one victim and a pure leak-and-extort campaign against the next.
Business Impact
The headline economics moved in an unexpected direction in 2025. Chainalysis tracked about 820 million dollars in on-chain ransomware payments globally, 8 percent down on the year before, even as the number of claimed attacks rose by 50 percent to a record high. Only 28 percent of victims paid, the lowest share on record. For the minority who did pay, the median payment jumped 368 percent year on year, from 12,738 dollars to 59,556 dollars (Chainalysis, 2026).
The FBI’s Internet Crime Complaint Center received 3,611 ransomware complaints in 2025 with more than 32 million dollars in directly reported losses, a figure the FBI itself flags as an undercount because it excludes downtime, recovery and legal costs. The centre logged 63 new ransomware variants that year, an average of five a month, and found healthcare and public health organisations hit by ransomware more often than any other critical-infrastructure sector (FBI IC3, 2026).
Those direct figures understate the real cost. IBM puts the average cost of a ransomware breach at around 5 million dollars once investigation, downtime and recovery are included. In autumn 2025, a ransomware attack forced Jaguar Land Rover to halt production for five weeks across multiple countries. The attackers, a collective referencing well-known cybercrime brands, claimed the intrusion; the UK’s Cyber Monitoring Centre put the cost to the wider economy at roughly 1.9 billion pounds, the most expensive cyber incident in British history. The lesson is not the ransom demand. It is the weeks of lost production that no insurance policy fully covers.
Real-World Cases
WannaCry, May 2017
A self-spreading “cryptoworm” used a leaked NSA exploit, EternalBlue, against a known and already-patched Windows flaw. It reached more than 200,000 computers in over 100 countries within a day. In England alone, about 80 of 236 NHS trusts were infected or shut their own systems down as a precaution, a further 603 NHS organisations including 595 GP practices were affected, and almost 20,000 hospital appointments and operations were cancelled, according to the UK’s National Audit Office. A researcher stopped the spread almost by accident, by registering a domain the malware checked before encrypting. The control that would have stopped it: the patch had shipped two months earlier.
Coop Sweden, July 2021
Coop was never a Kaseya customer. Its checkout software supplier, Visma Esscom, was, and REvil’s exploitation of a zero-day flaw in Kaseya’s remote-management platform reached Coop’s tills and self-service checkouts through that supplier relationship, forcing most of Coop’s roughly 800 Swedish stores to close for about a week. The wider Kaseya attack reached an estimated 1,000-plus businesses worldwide through around 50 to 60 managed service providers, and REvil demanded 70 million dollars for a universal decryption tool. The control: supply-chain risk management. Not being a supplier’s direct customer does not put you outside the blast radius.
Synnovis, June 2024
The Qilin ransomware-as-a-service group hit Synnovis, a pathology partner to several NHS London hospitals, with a 50 million dollar ransom demand over roughly 400 gigabytes of data. More than 6,000 appointments and procedures were cancelled and hospitals issued an urgent call for O-type blood donors because cross-matching systems were down. Qilin remained one of the most active ransomware operations globally through early 2026. The control: privileged-access management and protected backups. Qilin affiliates are known to abuse legitimate remote-access tools and target backup infrastructure before they ever start encrypting.
Tietoevry, January 2024
An Akira ransomware attack on Swedish IT provider Tietoevry took down payroll, health-record and retail systems for its customers for several days. The control: business continuity planning for outsourced systems. When a critical supplier goes down, the plan needs to already exist, not get written during the incident.
Miljödata, August 2025
A ransomware attack on a single Swedish software supplier disrupted services across roughly 200 of Sweden’s 290 municipalities. The control: concentration risk. A shared supplier to the public sector is a single point of failure, and its security requirements need to match the scale of what depends on it.
Ransomware and Compliance
Sweden’s NIS2 law, Cybersäkerhetslagen (SFS 2025:1506), came into force on 15 January 2026 and changes ransomware from a technical incident into a legal one. Article 20 makes the board responsible for approving and overseeing security measures, with supervisory authorities able to hold board members personally accountable. Article 21 sets out required measures directly relevant to ransomware: continuous monitoring, incident handling, business continuity, supply-chain security and regular security awareness training.
A confirmed ransomware attack also starts a reporting clock. Under Cybersäkerhetslagen, an affected organisation owes MCF (formerly MSB) and the relevant sector authority an early warning within 24 hours, a full notification within 72 hours and a final report within a month. Fines for non-compliance run up to 10 million euros or 2 percent of global turnover for essential entities, and up to 7 million euros or 1.4 percent for important entities. Read the full detail on eBuilder’s NIS2 compliance hub.
Other regimes stack on top depending on sector and data. GDPR Article 33 requires a 72-hour breach notification to IMY, Sweden’s data protection authority, whenever personal data is affected, which most ransomware cases involve. Financial entities carry a further duty under DORA Article 17, supervised by Finansinspektionen, covering how ICT incidents including ransomware are managed and reported.
How to Spot Ransomware
Ransomware rarely announces itself the moment it lands. Most attacks involve days or weeks of quiet access before encryption ever starts, and that window has warning signs if someone is looking for them.
- Remote-access and remote-monitoring tools running where nobody on the IT team recognises them or expects them to be.
- Administrator activity outside normal hours, especially against backup systems, domain controllers or security tooling.
- Attempts to delete or disable backup snapshots, shadow copies or antivirus and endpoint agents.
- A sudden spike in file-renaming or file-access activity across shared drives.
- A phishing email, an unexpected password reset prompt or a login from an unfamiliar location, any of which can be the very first foothold.
None of these signs are proof on their own, and no organisation should rely on spotting ransomware by eye. Detection alone is unreliable because the quiet phase is built to look ordinary. Monitoring, not instinct, is what catches it in time.
How to Defend
The controls that stop ransomware are not exotic. They are the basics, applied consistently rather than selectively.
- Turn on multi-factor authentication everywhere, not just for a handful of privileged accounts. Stolen passwords are the most common way in.
- Keep backups offline or immutable and test the restore process, not just the backup job. A backup an attacker can reach and delete is not a backup.
- Patch on a fixed cadence, prioritising internet-facing systems and anything with a known exploited vulnerability.
- Segment the network so a single compromised account or device cannot reach every system in the business.
- Write and rehearse an incident response plan before you need it, including who has authority to make decisions at 2am.
- Run regular security awareness training so staff recognise phishing and unusual requests, and know how to report them without fear of blame.
Each of these is a control that, on its own, has stopped a real ransomware attack somewhere in the cases above. Together, they close most of the doors ransomware actually uses.
