Threats & attacks

What Is Ransomware

What ransomware is, how it spreads and what Swedish and global cases reveal about the controls that actually stop it.

Key takeaways
  • Ransomware blocks access to systems or files, usually by encryption, until a payment is made.
  • Most attacks now steal data too, so a clean backup no longer removes the pressure to pay.
  • Ransomware-as-a-service means attackers do not need to write their own malware, only buy access.
  • Chainalysis tracked about 820 million dollars in ransomware payments in 2025, even as only 28 percent of victims paid, an all-time low.
  • The FBI logged 3,611 ransomware complaints and 63 new ransomware variants in 2025 alone.
  • WannaCry (2017) spread to over 200,000 computers using a vulnerability that had already been patched.
  • The Qilin group’s attack on NHS supplier Synnovis in 2024 cancelled over 6,000 hospital appointments.
  • Sweden’s Cybersäkerhetslagen, in force since 15 January 2026, can hold boards personally accountable for security failings.
  • A confirmed attack starts a legal clock: 24 hours for an early warning, 72 hours for full notification.
  • Multi-factor authentication, offline backups and a rehearsed incident response plan stop most real-world attacks.

What Is Ransomware?

Ransomware is malicious software that blocks access to a computer system or its files, usually by encrypting them, until the victim pays the attacker. Many attacks now add a second threat: stealing the data first and threatening to publish it, even if the victim can restore everything from backup.

The first documented case predates the internet as most of us know it. In 1989 a biologist mailed infected floppy disks to attendees of a World Health Organization AIDS conference in Stockholm. The disks hid a victim’s file directories and demanded 189 dollars sent to a post box in Panama. Thirty-six years later, the same idea, deny access and demand payment, runs a criminal economy worth hundreds of millions of dollars a year.

What changed is who gets targeted and who is accountable. Ransomware used to be an IT incident. It is now a board-level risk. Under Sweden’s Cybersäkerhetslagen, the board itself can be held personally accountable for the security measures a company failed to take, and a ransomware attack is exactly the kind of incident that exposes those gaps in public.

How Ransomware Is Made

Most ransomware today is not built and deployed by a single group. It runs on a ransomware-as-a-service, or RaaS, model that splits the work into three roles. Operators write and maintain the ransomware and the infrastructure behind it. Affiliates rent or licence that software and carry out the actual attacks. Initial access brokers specialise in breaking into networks and selling that access on to affiliates, sometimes weeks before an attack takes place.

The economics are simple and effective. An affiliate pays a flat monthly fee, a one-off licence fee or a share of whatever ransom gets paid, commonly leaving the operator with roughly a fifth to two fifths of the proceeds and the affiliate the rest. Some platforms offer affiliates as much as four fifths of the ransom to attract experienced attackers. This division of labour is why IBM’s 2026 threat research counted 109 active ransomware and extortion groups in 2025, up from 73 the year before. Nobody needs to be a skilled malware author to run a ransomware campaign. They only need access, and access is for sale.

That access usually arrives through a small set of well-worn doors: a phishing email that harvests a password, a remote-desktop connection left open to the internet, an unpatched software vulnerability or credentials bought from an initial access broker. None of these require sophisticated hacking. They require one employee to click, or one server to be a patch cycle behind.

Types of Ransomware Attack

Ransomware is not one thing. The label covers several different attack styles, and knowing which one is in play changes how you respond.

  • Crypto ransomware. The most common form. It encrypts files so they cannot be opened without a key the attacker holds.
  • Locker ransomware. Locks the screen or device itself rather than the files, more common against individuals than organisations.
  • Double extortion. Encrypts the data and steals a copy of it, so a clean backup no longer removes the pressure to pay.
  • Triple extortion. Adds a further lever on top of double extortion, such as contacting the victim’s customers directly or threatening a denial-of-service attack.
  • Leakware or doxware. Threatens to publish stolen data, sometimes without encrypting anything at all.
  • Scareware. Fake security pop-ups that pressure a payment for a problem that does not exist, the least technically sophisticated form.
  • Wipers. Destructive code disguised as ransomware. Files are corrupted or deleted whether or not the ransom is paid, and this variant is more often linked to state-backed disruption than ordinary crime.

Ransomware-as-a-service is not a type of payload. It is the delivery model behind most of the categories above, which is why the same affiliate network can run a crypto attack against one victim and a pure leak-and-extort campaign against the next.

Business Impact

The headline economics moved in an unexpected direction in 2025. Chainalysis tracked about 820 million dollars in on-chain ransomware payments globally, 8 percent down on the year before, even as the number of claimed attacks rose by 50 percent to a record high. Only 28 percent of victims paid, the lowest share on record. For the minority who did pay, the median payment jumped 368 percent year on year, from 12,738 dollars to 59,556 dollars (Chainalysis, 2026).

The FBI’s Internet Crime Complaint Center received 3,611 ransomware complaints in 2025 with more than 32 million dollars in directly reported losses, a figure the FBI itself flags as an undercount because it excludes downtime, recovery and legal costs. The centre logged 63 new ransomware variants that year, an average of five a month, and found healthcare and public health organisations hit by ransomware more often than any other critical-infrastructure sector (FBI IC3, 2026).

Those direct figures understate the real cost. IBM puts the average cost of a ransomware breach at around 5 million dollars once investigation, downtime and recovery are included. In autumn 2025, a ransomware attack forced Jaguar Land Rover to halt production for five weeks across multiple countries. The attackers, a collective referencing well-known cybercrime brands, claimed the intrusion; the UK’s Cyber Monitoring Centre put the cost to the wider economy at roughly 1.9 billion pounds, the most expensive cyber incident in British history. The lesson is not the ransom demand. It is the weeks of lost production that no insurance policy fully covers.

Real-World Cases

WannaCry, May 2017

A self-spreading “cryptoworm” used a leaked NSA exploit, EternalBlue, against a known and already-patched Windows flaw. It reached more than 200,000 computers in over 100 countries within a day. In England alone, about 80 of 236 NHS trusts were infected or shut their own systems down as a precaution, a further 603 NHS organisations including 595 GP practices were affected, and almost 20,000 hospital appointments and operations were cancelled, according to the UK’s National Audit Office. A researcher stopped the spread almost by accident, by registering a domain the malware checked before encrypting. The control that would have stopped it: the patch had shipped two months earlier.

Coop Sweden, July 2021

Coop was never a Kaseya customer. Its checkout software supplier, Visma Esscom, was, and REvil’s exploitation of a zero-day flaw in Kaseya’s remote-management platform reached Coop’s tills and self-service checkouts through that supplier relationship, forcing most of Coop’s roughly 800 Swedish stores to close for about a week. The wider Kaseya attack reached an estimated 1,000-plus businesses worldwide through around 50 to 60 managed service providers, and REvil demanded 70 million dollars for a universal decryption tool. The control: supply-chain risk management. Not being a supplier’s direct customer does not put you outside the blast radius.

Synnovis, June 2024

The Qilin ransomware-as-a-service group hit Synnovis, a pathology partner to several NHS London hospitals, with a 50 million dollar ransom demand over roughly 400 gigabytes of data. More than 6,000 appointments and procedures were cancelled and hospitals issued an urgent call for O-type blood donors because cross-matching systems were down. Qilin remained one of the most active ransomware operations globally through early 2026. The control: privileged-access management and protected backups. Qilin affiliates are known to abuse legitimate remote-access tools and target backup infrastructure before they ever start encrypting.

Tietoevry, January 2024

An Akira ransomware attack on Swedish IT provider Tietoevry took down payroll, health-record and retail systems for its customers for several days. The control: business continuity planning for outsourced systems. When a critical supplier goes down, the plan needs to already exist, not get written during the incident.

Miljödata, August 2025

A ransomware attack on a single Swedish software supplier disrupted services across roughly 200 of Sweden’s 290 municipalities. The control: concentration risk. A shared supplier to the public sector is a single point of failure, and its security requirements need to match the scale of what depends on it.

Ransomware and Compliance

Sweden’s NIS2 law, Cybersäkerhetslagen (SFS 2025:1506), came into force on 15 January 2026 and changes ransomware from a technical incident into a legal one. Article 20 makes the board responsible for approving and overseeing security measures, with supervisory authorities able to hold board members personally accountable. Article 21 sets out required measures directly relevant to ransomware: continuous monitoring, incident handling, business continuity, supply-chain security and regular security awareness training.

A confirmed ransomware attack also starts a reporting clock. Under Cybersäkerhetslagen, an affected organisation owes MCF (formerly MSB) and the relevant sector authority an early warning within 24 hours, a full notification within 72 hours and a final report within a month. Fines for non-compliance run up to 10 million euros or 2 percent of global turnover for essential entities, and up to 7 million euros or 1.4 percent for important entities. Read the full detail on eBuilder’s NIS2 compliance hub.

Other regimes stack on top depending on sector and data. GDPR Article 33 requires a 72-hour breach notification to IMY, Sweden’s data protection authority, whenever personal data is affected, which most ransomware cases involve. Financial entities carry a further duty under DORA Article 17, supervised by Finansinspektionen, covering how ICT incidents including ransomware are managed and reported.

How to Spot Ransomware

Ransomware rarely announces itself the moment it lands. Most attacks involve days or weeks of quiet access before encryption ever starts, and that window has warning signs if someone is looking for them.

  • Remote-access and remote-monitoring tools running where nobody on the IT team recognises them or expects them to be.
  • Administrator activity outside normal hours, especially against backup systems, domain controllers or security tooling.
  • Attempts to delete or disable backup snapshots, shadow copies or antivirus and endpoint agents.
  • A sudden spike in file-renaming or file-access activity across shared drives.
  • A phishing email, an unexpected password reset prompt or a login from an unfamiliar location, any of which can be the very first foothold.

None of these signs are proof on their own, and no organisation should rely on spotting ransomware by eye. Detection alone is unreliable because the quiet phase is built to look ordinary. Monitoring, not instinct, is what catches it in time.

How to Defend

The controls that stop ransomware are not exotic. They are the basics, applied consistently rather than selectively.

  • Turn on multi-factor authentication everywhere, not just for a handful of privileged accounts. Stolen passwords are the most common way in.
  • Keep backups offline or immutable and test the restore process, not just the backup job. A backup an attacker can reach and delete is not a backup.
  • Patch on a fixed cadence, prioritising internet-facing systems and anything with a known exploited vulnerability.
  • Segment the network so a single compromised account or device cannot reach every system in the business.
  • Write and rehearse an incident response plan before you need it, including who has authority to make decisions at 2am.
  • Run regular security awareness training so staff recognise phishing and unusual requests, and know how to report them without fear of blame.

Each of these is a control that, on its own, has stopped a real ransomware attack somewhere in the cases above. Together, they close most of the doors ransomware actually uses.

Myths & Facts

Myth

Paying the ransom guarantees you get your data back.

Only large companies are worth attacking.

A good backup means ransomware cannot hurt you.

Ransomware is an IT problem, not a board problem.

If nothing looks encrypted yet, there is no attack under way.

Antivirus software is enough to stop ransomware.

Fact

There is no enforcement mechanism against criminals. Some victims who pay receive a working decryption key and others do not. Paying also marks an organisation as willing to pay again.

Chainalysis and the FBI both recorded a shift toward smaller and mid-sized targets in 2025, because they are faster to breach and quicker to pay.

Double extortion steals a copy of the data before encrypting it, so attackers can still threaten to publish it even when the victim restores everything from backup.

Under Sweden's Cybersäkerhetslagen, Article 20 makes the board responsible for approving and overseeing security measures, and board members can be held personally accountable.

Most ransomware groups spend days or weeks quietly inside a network, disabling backups and mapping systems, before encryption ever starts.

Modern affiliates commonly use legitimate remote-access tools and valid stolen credentials, which antivirus is not designed to flag as malicious.

Test Yourself

Four real-world scenarios, then six knowledge questions. See how prepared you would be under pressure.

Scenario simulation

  1. Your finance team gets an email that looks like it is from your IT provider, asking them to log into a portal to "verify a security update".

    What do you do?

    • Click the link and log in to check
    • Report it and verify with IT through a known contact
    • Ignore it and delete it
  2. Your backup system shows that last night's backup job silently failed, and it has failed twice this month.

    What is the priority?

    • Note it and check again next week
    • Investigate immediately and confirm the restore actually works
    • Assume the next scheduled backup will fix itself
  3. Your NIS2 risk assessment flags that a single external supplier manages remote access for several of your critical systems.

    What does the Coop Sweden case suggest you should do?

    • Nothing, since you are not a direct customer of the underlying software vendor
    • Assess and monitor the supplier's security as if it were your own
    • Wait for the supplier to confirm they have never been attacked
  4. An admin account is seen logging into a backup server at 3am, a time nobody on the team works.

    What is the most likely explanation to investigate first?

    • A scheduled maintenance task nobody flagged
    • Ignore it since the login used valid credentials
    • Treat it as a possible active intrusion and investigate immediately

Knowledge test

  1. What is the main difference between crypto ransomware and locker ransomware?

    • Crypto ransomware encrypts files; locker ransomware locks the device or screen
    • Crypto ransomware only targets cryptocurrency exchanges
    • Locker ransomware is more damaging to large organisations
    • There is no meaningful difference

    Crypto ransomware encrypts data, while locker ransomware blocks access to the device itself, usually without encrypting the files.

  2. In the ransomware-as-a-service model, who usually carries out the actual attack?

    • The operator who wrote the ransomware
    • The affiliate who rents or licenses the ransomware
    • The victim's own IT team
    • A government regulator

    Operators build and maintain the ransomware and infrastructure; affiliates rent it and carry out the attacks themselves.

  3. Why did double extortion emerge as a tactic?

    • To make ransom notes easier to read
    • Because backups alone stopped victims paying, so attackers added a data-leak threat
    • To target cryptocurrency wallets specifically
    • It has no real strategic purpose

    Good backups let victims recover without paying, so attackers began stealing data too, adding a leak threat that a backup cannot solve.

  4. What made WannaCry able to spread as fast as it did in 2017?

    • It targeted only one specific bank
    • It required each victim to open an email attachment individually
    • It self-propagated across networks using an unpatched, already-fixed Windows flaw
    • It only affected mobile phones

    WannaCry used the EternalBlue exploit to spread automatically between machines that had not applied a patch Microsoft had already released.

  5. Under Sweden's Cybersäkerhetslagen, how soon must an early warning of a serious incident be sent?

    • Within 24 hours
    • Within 7 days
    • Within 1 month
    • There is no fixed deadline

    The reporting cascade requires an early warning within 24 hours, full notification within 72 hours and a final report within a month.

  6. Which control is most directly credited with limiting the damage in the cases in this guide?

    • Buying cyber insurance
    • Paying the ransom quickly
    • Basics such as patching, backups, segmentation and multi-factor authentication
    • Hiring more marketing staff

    Every named case in this guide traces back to a basic control, patching, backups, supplier oversight or access management, that either held or was missing.

Why Training Matters

Every ransomware case in this guide started with access, not sophistication: a phishing email, a stolen password or an unpatched door somebody had already knocked on. Most of that access is handed over by people, not systems, which is why regular, realistic security awareness training is one of the required measures under Article 21 of Sweden’s Cybersäkerhetslagen, not an optional extra. Staff who can spot a phishing attempt and know how to report it without fear of blame are one of the cheapest and most effective controls an organisation has.

Frequently Asked Questions

What is ransomware?

Ransomware is malicious software that blocks access to a computer system or its files, usually through encryption, until the victim pays the attacker. Many modern attacks also steal a copy of the data first and threaten to publish it, so restoring from backup no longer removes all the pressure to pay.

How does ransomware get onto a company's systems?

Most ransomware arrives through a small set of common routes: a phishing email that harvests a password, an exposed remote-desktop connection, an unpatched software vulnerability or access bought from a criminal who specialises in breaking into networks and selling the entry point on to attackers.

What is ransomware-as-a-service?

Ransomware-as-a-service, or RaaS, is a business model where one group builds and maintains ransomware and infrastructure, then rents or licenses it to affiliates who carry out the actual attacks for a share of any ransom paid. It is why dozens of active ransomware brands can operate at once.

What is double extortion ransomware?

Double extortion is an attack that both encrypts a victim's files and steals a copy of the data beforehand. Attackers then threaten to publish the stolen data even if the victim can restore everything from a clean backup, which removes backups as a complete defence on their own.

Should a business ever pay a ransomware demand?

Law enforcement agencies including the FBI advise against paying, because payment does not guarantee working decryption and funds further attacks. In 2025 only 28 percent of tracked victims paid, the lowest share on record, as more organisations focused on recovery instead.

Is WannaCry still a relevant example today?

Yes. WannaCry spread to over 200,000 computers in 2017 using a Windows flaw that had already been patched two months earlier. It remains the clearest public example of how a single unpatched system can let an attack spread across an entire network in hours.

What is the Qilin ransomware group?

Qilin is a ransomware-as-a-service operation that has been one of the most active ransomware groups worldwide since 2024, including the attack on NHS supplier Synnovis that cancelled over 6,000 hospital appointments. It recruits affiliates who carry out attacks using its platform.

Do Swedish organisations have to report a ransomware attack?

Yes. Under Cybersäkerhetslagen, in force since 15 January 2026, an affected organisation must send MCF (formerly MSB) an early warning within 24 hours, a full notification within 72 hours and a final report within a month, with further duties under GDPR where personal data is involved.

Get a 30-Minute Security Briefing. No Pitch Deck.

Talk to a Sweden-based analyst. We'll review your posture, map your NIS2 gaps, and give you a clear picture of where you stand, in plain language.

Book a Free Briefing
No commitment Sweden-based analyst

How eBuilder Security Can Help

Awareness is the first layer. These are the services that turn it into measurable protection.