What Is Ransomware?
Ransomware is malware that blocks an organisation’s access to its own systems or data, usually through encryption, until a ransom is paid. Most modern attacks also steal the data first and threaten to leak it, a tactic known as double extortion, so a ransomware attack is now almost always a data breach as well.
Boards used to treat this as an IT problem. The numbers argue otherwise. According to Chainalysis, the total ransom money collected worldwide actually fell by 8 percent in 2025, to around 820 million dollars, yet the number of organisations claimed by ransomware gangs rose by about half over the same period, the most active year on record. Only 28 percent of victims paid, the lowest share ever recorded, and the ones who did pay handed over far more than before, with the typical payment jumping 368 percent to almost 60,000 dollars. Fewer victims are paying. The risk has not gone away. It has just changed shape.
How Ransomware Is Made
Most ransomware attacks today are not built by the people who carry them out. A small core group writes the malware and builds the leak site and negotiation portal, then rents the whole package to affiliates under a model called ransomware as a service. The affiliate does the breaking in and the core group takes a cut, commonly somewhere between 15 and 30 percent of whatever is paid. Qilin, one of the most active groups through 2025, reportedly pays affiliates as much as 80 to 85 percent of the ransom, which explains why it had little trouble recruiting once rival operations fell apart.
This is why ransomware got easy. An affiliate does not need to write a single line of malicious code. They need a way into a network, and a thriving market exists to sell exactly that: stolen credentials, unpatched VPN appliances and access already established by other criminals, sold on by so-called initial access brokers. According to the EU cybersecurity agency ENISA, phishing remains the most common route in, involved in around 60 percent of intrusions, with exploited software vulnerabilities accounting for another 21 percent, often weaponised within days of becoming public. Once an affiliate has a foothold, the ransomware itself is usually only the final step in an intrusion that has already been under way for days.
Types of Ransomware Attack
Ransomware comes in a few recognisable forms, and most real attacks combine more than one.
- Crypto ransomware: Encrypts files across a network so they cannot be opened without a decryption key, the most common form in use today.
- Locker ransomware: Locks the entire device or screen rather than individual files, blocking access to the system itself.
- Double extortion: Combines encryption with data theft, adding the threat of a public leak even where backups make paying for a decryption key unnecessary. This is now the default model for most active ransomware groups.
- Data extortion without encryption: Skips encryption altogether and relies purely on stolen data as leverage, since exfiltration alone is often enough to force a payment.
- Ransomware as a service: Not a technical type but the business model behind most of the above, where a core group builds the tooling and leases it to affiliates who carry out the attacks.
Business Impact
The ransom itself is rarely the biggest cost. Recovery, lost business during downtime, legal exposure and reputational damage typically dwarf whatever was demanded.
Chainalysis puts total ransomware payments worldwide at around 820 million dollars in 2025, a slight fall from the year before. That fall is not good news on its own: claimed attacks rose by about half over the same period, the most active year on record for ransomware gangs, according to the same report. The FBI’s Internet Crime Complaint Center recorded 3,611 ransomware complaints in 2025, up from 3,156 the year before, with reported losses of just over 32 million dollars. The FBI is explicit that this figure understates the real cost, since it excludes downtime, remediation and the business disruption that follows an attack. Healthcare and public health was the hardest-hit critical infrastructure sector in the FBI’s data, recording 460 ransomware attacks in a single year.
Figures this size only tell part of the story. In Sweden, a ransomware attack on a single HR software supplier disrupted services at around 200 of the country’s 290 municipalities in 2025, and an attack on an IT provider’s data centre in 2024 took down payroll systems for dozens of government authorities and universities at once. When the systems affected sit behind essential public services, the impact is measured in disrupted lives as much as lost money.
Real-World Cases
WannaCry remains the case every business should know. On 12 May 2017 it spread to more than 200,000 computers in over 150 countries within days, using a Windows flaw called EternalBlue that Microsoft had already patched two months earlier. Organisations that had simply applied that patch were untouched. The UK’s National Health Service was hit hard, with roughly a third of its trusts affected and thousands of appointments cancelled, a plain demonstration that patching promptly, even when it is inconvenient, remains one of the cheapest defences available.
Sweden has its own run of cases, and they share a pattern: the victim was rarely the direct target. In July 2021, the Kaseya VSA supply-chain attack reached Coop Sweden through its point-of-sale provider, forcing around 800 stores to close because tills stopped working, even though Coop had no direct relationship with the compromised software. In January 2024, the Akira ransomware group breached one data centre belonging to IT provider Tietoevry through an already-patchable Cisco VPN flaw, taking down the Primula payroll system used by dozens of Swedish universities and government authorities and even reaching the Riksbank’s own HR access, a reminder that patching remote-access infrastructure matters as much as patching desktops. In August 2025, a little-known group calling itself Datacarry hit Miljödata, an HR software supplier used by roughly 80 percent of Swedish municipalities, disrupting services at around 200 of Sweden’s 290 municipalities for a ransom of just 1.5 bitcoin, proof that concentration in a handful of shared suppliers is now a national-scale risk in its own right.
The most serious case on record involves the Qilin group, the same operation behind the qilin ransomware attacks that increasingly dominate global leak-site activity. In June 2024, Qilin attacked Synnovis, a pathology and blood-testing partner for several NHS hospitals in London, demanding 50 million dollars. The attack cancelled or postponed more than 10,000 appointments and 1,710 procedures, caused a nationwide shortage of O-type blood and exposed data on more than 900,000 people. In 2025, King’s College Hospital NHS Foundation Trust confirmed that a patient’s death was partly attributable to a delay in blood test results caused by the attack, the clearest evidence yet that ransomware against healthcare providers is not only a data problem. It is a patient safety problem, which is why business continuity planning for any organisation with safety-critical operations has to assume that a critical supplier, not just its own systems, can fail.
Ransomware and Compliance
In Sweden, ransomware readiness is no longer just good practice. It is a legal duty. Cybersäkerhetslagen, Sweden’s version of the EU’s NIS2 directive, has been in force since 15 January 2026 and applies directly to how organisations must prepare for and respond to an attack like the ones described above.
Article 21 of NIS2 requires business continuity management and incident handling as core security measures, both engaged the moment ransomware locks a system, alongside supply-chain security, directly relevant given how many of the cases above began with a vendor rather than the victim itself. Article 20 goes further, making the management body, the board, personally accountable for approving and overseeing these measures rather than leaving the risk entirely to IT.
The reporting clock starts the moment an attack is discovered: an early warning to MCF and the relevant sector authority within 24 hours, a full notification within 72 hours and a final report within one month. Because most ransomware attacks now involve data theft as well as encryption, they typically trigger GDPR’s own 72-hour breach notification duty to IMY on top of the NIS2 timeline. For a full walkthrough of what NIS2 requires in Sweden, see our NIS2 compliance guide.
How to Spot Ransomware
By the time a ransom note appears on screen, the attack is usually already over and detection has failed. The more useful signals show up earlier, in the days or weeks before encryption begins:
- New administrator accounts nobody recognises, or existing accounts suddenly active at odd hours
- Unexpected tools appearing on the network, particularly remote access or file-compression software nobody installed
- A spike in failed logins against VPN or remote desktop services, often a sign of a brute-force attempt against exposed remote access
- One login from an unusual location followed quickly by activity spreading across many systems, a classic sign of lateral movement once initial access has been gained
None of these signs are proof on their own, and no monitoring tool catches every intrusion before it escalates. Detection is a layer, not a guarantee, which is exactly why the defences below matter regardless of how good an organisation’s monitoring is.
How to Defend
Every case in this guide could have been stopped, or made far less damaging, by a small number of unglamorous controls, applied consistently.
- Patch VPNs, firewalls and other internet-facing systems first, since these remain the most common route into a network and the fix is often already available, as it was for both WannaCry and the Tietoevry attack
- Require multi-factor authentication on every remote-access and administrator account, not just email
- Keep backups offline or immutable, and test the restore process before an attack forces the first real test
- Segment networks so that one compromised machine cannot reach everything else, limiting how far an attacker can move once inside
- Write and rehearse an incident response plan before it is needed, including who has authority to take systems offline, since decisions made calmly in advance are better than decisions made under a ransom deadline
- Train staff to recognise phishing and to verify unusual requests through a second channel, since roughly six in ten intrusions still begin with a phishing email
None of this requires predicting which group will attack next. Qilin, Akira and whichever name replaces them once law enforcement catches up all rely on the same handful of gaps: unpatched systems, weak authentication and backups an attacker can also reach. Close those and the specific name on the ransom note stops mattering nearly as much.
