Threats & attacks

What Is Ransomware

A plain-English guide to how ransomware works, what it costs Swedish organisations and the handful of controls that stop it.

Key takeaways
  • Ransomware blocks access to systems or data, usually through encryption, until a ransom is paid.
  • Most attacks now steal data first too, a tactic called double extortion, making almost every ransomware attack a data breach as well.
  • Global ransom payments fell to around $820 million in 2025, yet claimed attacks rose by about half, the most active year on record.
  • Only 28 percent of victims paid in 2025, the lowest share on record, while the typical payment jumped 368 percent to almost $60,000.
  • Qilin, the group behind the fatal Synnovis attack on NHS pathology services, became the world’s most active ransomware operation through 2025.
  • Sweden has been hit repeatedly through its suppliers rather than directly: Coop (2021), Tietoevry (2024) and Miljödata (2025) all trace back to a vendor.
  • Phishing and unpatched systems remain behind most intrusions, around 60 percent and 21 percent of cases respectively.
  • Cybersäkerhetslagen, in force since 15 January 2026, makes ransomware readiness a board-level legal duty in Sweden, not just an IT concern.
  • A handful of controls, including MFA, offline backups, prompt patching and staff training, stop the large majority of attacks regardless of which group is behind them.

What Is Ransomware?

Ransomware is malware that blocks an organisation’s access to its own systems or data, usually through encryption, until a ransom is paid. Most modern attacks also steal the data first and threaten to leak it, a tactic known as double extortion, so a ransomware attack is now almost always a data breach as well.

Boards used to treat this as an IT problem. The numbers argue otherwise. According to Chainalysis, the total ransom money collected worldwide actually fell by 8 percent in 2025, to around 820 million dollars, yet the number of organisations claimed by ransomware gangs rose by about half over the same period, the most active year on record. Only 28 percent of victims paid, the lowest share ever recorded, and the ones who did pay handed over far more than before, with the typical payment jumping 368 percent to almost 60,000 dollars. Fewer victims are paying. The risk has not gone away. It has just changed shape.

How Ransomware Is Made

Most ransomware attacks today are not built by the people who carry them out. A small core group writes the malware and builds the leak site and negotiation portal, then rents the whole package to affiliates under a model called ransomware as a service. The affiliate does the breaking in and the core group takes a cut, commonly somewhere between 15 and 30 percent of whatever is paid. Qilin, one of the most active groups through 2025, reportedly pays affiliates as much as 80 to 85 percent of the ransom, which explains why it had little trouble recruiting once rival operations fell apart.

This is why ransomware got easy. An affiliate does not need to write a single line of malicious code. They need a way into a network, and a thriving market exists to sell exactly that: stolen credentials, unpatched VPN appliances and access already established by other criminals, sold on by so-called initial access brokers. According to the EU cybersecurity agency ENISA, phishing remains the most common route in, involved in around 60 percent of intrusions, with exploited software vulnerabilities accounting for another 21 percent, often weaponised within days of becoming public. Once an affiliate has a foothold, the ransomware itself is usually only the final step in an intrusion that has already been under way for days.

Types of Ransomware Attack

Ransomware comes in a few recognisable forms, and most real attacks combine more than one.

  • Crypto ransomware: Encrypts files across a network so they cannot be opened without a decryption key, the most common form in use today.
  • Locker ransomware: Locks the entire device or screen rather than individual files, blocking access to the system itself.
  • Double extortion: Combines encryption with data theft, adding the threat of a public leak even where backups make paying for a decryption key unnecessary. This is now the default model for most active ransomware groups.
  • Data extortion without encryption: Skips encryption altogether and relies purely on stolen data as leverage, since exfiltration alone is often enough to force a payment.
  • Ransomware as a service: Not a technical type but the business model behind most of the above, where a core group builds the tooling and leases it to affiliates who carry out the attacks.

Business Impact

The ransom itself is rarely the biggest cost. Recovery, lost business during downtime, legal exposure and reputational damage typically dwarf whatever was demanded.

Chainalysis puts total ransomware payments worldwide at around 820 million dollars in 2025, a slight fall from the year before. That fall is not good news on its own: claimed attacks rose by about half over the same period, the most active year on record for ransomware gangs, according to the same report. The FBI’s Internet Crime Complaint Center recorded 3,611 ransomware complaints in 2025, up from 3,156 the year before, with reported losses of just over 32 million dollars. The FBI is explicit that this figure understates the real cost, since it excludes downtime, remediation and the business disruption that follows an attack. Healthcare and public health was the hardest-hit critical infrastructure sector in the FBI’s data, recording 460 ransomware attacks in a single year.

Figures this size only tell part of the story. In Sweden, a ransomware attack on a single HR software supplier disrupted services at around 200 of the country’s 290 municipalities in 2025, and an attack on an IT provider’s data centre in 2024 took down payroll systems for dozens of government authorities and universities at once. When the systems affected sit behind essential public services, the impact is measured in disrupted lives as much as lost money.

Real-World Cases

WannaCry remains the case every business should know. On 12 May 2017 it spread to more than 200,000 computers in over 150 countries within days, using a Windows flaw called EternalBlue that Microsoft had already patched two months earlier. Organisations that had simply applied that patch were untouched. The UK’s National Health Service was hit hard, with roughly a third of its trusts affected and thousands of appointments cancelled, a plain demonstration that patching promptly, even when it is inconvenient, remains one of the cheapest defences available.

Sweden has its own run of cases, and they share a pattern: the victim was rarely the direct target. In July 2021, the Kaseya VSA supply-chain attack reached Coop Sweden through its point-of-sale provider, forcing around 800 stores to close because tills stopped working, even though Coop had no direct relationship with the compromised software. In January 2024, the Akira ransomware group breached one data centre belonging to IT provider Tietoevry through an already-patchable Cisco VPN flaw, taking down the Primula payroll system used by dozens of Swedish universities and government authorities and even reaching the Riksbank’s own HR access, a reminder that patching remote-access infrastructure matters as much as patching desktops. In August 2025, a little-known group calling itself Datacarry hit Miljödata, an HR software supplier used by roughly 80 percent of Swedish municipalities, disrupting services at around 200 of Sweden’s 290 municipalities for a ransom of just 1.5 bitcoin, proof that concentration in a handful of shared suppliers is now a national-scale risk in its own right.

The most serious case on record involves the Qilin group, the same operation behind the qilin ransomware attacks that increasingly dominate global leak-site activity. In June 2024, Qilin attacked Synnovis, a pathology and blood-testing partner for several NHS hospitals in London, demanding 50 million dollars. The attack cancelled or postponed more than 10,000 appointments and 1,710 procedures, caused a nationwide shortage of O-type blood and exposed data on more than 900,000 people. In 2025, King’s College Hospital NHS Foundation Trust confirmed that a patient’s death was partly attributable to a delay in blood test results caused by the attack, the clearest evidence yet that ransomware against healthcare providers is not only a data problem. It is a patient safety problem, which is why business continuity planning for any organisation with safety-critical operations has to assume that a critical supplier, not just its own systems, can fail.

Ransomware and Compliance

In Sweden, ransomware readiness is no longer just good practice. It is a legal duty. Cybersäkerhetslagen, Sweden’s version of the EU’s NIS2 directive, has been in force since 15 January 2026 and applies directly to how organisations must prepare for and respond to an attack like the ones described above.

Article 21 of NIS2 requires business continuity management and incident handling as core security measures, both engaged the moment ransomware locks a system, alongside supply-chain security, directly relevant given how many of the cases above began with a vendor rather than the victim itself. Article 20 goes further, making the management body, the board, personally accountable for approving and overseeing these measures rather than leaving the risk entirely to IT.

The reporting clock starts the moment an attack is discovered: an early warning to MCF and the relevant sector authority within 24 hours, a full notification within 72 hours and a final report within one month. Because most ransomware attacks now involve data theft as well as encryption, they typically trigger GDPR’s own 72-hour breach notification duty to IMY on top of the NIS2 timeline. For a full walkthrough of what NIS2 requires in Sweden, see our NIS2 compliance guide.

How to Spot Ransomware

By the time a ransom note appears on screen, the attack is usually already over and detection has failed. The more useful signals show up earlier, in the days or weeks before encryption begins:

  • New administrator accounts nobody recognises, or existing accounts suddenly active at odd hours
  • Unexpected tools appearing on the network, particularly remote access or file-compression software nobody installed
  • A spike in failed logins against VPN or remote desktop services, often a sign of a brute-force attempt against exposed remote access
  • One login from an unusual location followed quickly by activity spreading across many systems, a classic sign of lateral movement once initial access has been gained

None of these signs are proof on their own, and no monitoring tool catches every intrusion before it escalates. Detection is a layer, not a guarantee, which is exactly why the defences below matter regardless of how good an organisation’s monitoring is.

How to Defend

Every case in this guide could have been stopped, or made far less damaging, by a small number of unglamorous controls, applied consistently.

  • Patch VPNs, firewalls and other internet-facing systems first, since these remain the most common route into a network and the fix is often already available, as it was for both WannaCry and the Tietoevry attack
  • Require multi-factor authentication on every remote-access and administrator account, not just email
  • Keep backups offline or immutable, and test the restore process before an attack forces the first real test
  • Segment networks so that one compromised machine cannot reach everything else, limiting how far an attacker can move once inside
  • Write and rehearse an incident response plan before it is needed, including who has authority to take systems offline, since decisions made calmly in advance are better than decisions made under a ransom deadline
  • Train staff to recognise phishing and to verify unusual requests through a second channel, since roughly six in ten intrusions still begin with a phishing email

None of this requires predicting which group will attack next. Qilin, Akira and whichever name replaces them once law enforcement catches up all rely on the same handful of gaps: unpatched systems, weak authentication and backups an attacker can also reach. Close those and the specific name on the ransom note stops mattering nearly as much.

Myths & Facts

Myth

Paying the ransom guarantees you get your data back.

Only large companies get targeted.

Antivirus software is enough to stop ransomware.

If backups exist, there is nothing to worry about.

Ransomware attacks are random and unavoidable.

This is purely an IT department problem.

Fact

Payment gives no guarantee. Some victims never receive a working decryption key, and many are targeted again after paying, since paying signals a willingness to pay.

Ransomware-as-a-service affiliates target whoever is easiest to breach, regardless of size. Small suppliers are often the way into a larger organisation, as the Coop Sweden and Miljödata cases both show.

Most modern ransomware disables or evades standard antivirus before encrypting anything. Layered controls, especially backups and network segmentation, matter more than any single tool.

Double extortion means attackers steal data before encrypting it, so even a full backup restore does not stop a leak of stolen files unless the intrusion itself is contained.

Most attacks exploit a small set of known gaps: unpatched systems, weak remote access and phishing. Closing these stops the large majority of attempts before they succeed.

Cybersäkerhetslagen makes the board personally accountable for security measures, and the Synnovis case shows ransomware can affect patient safety, not just data.

Test Yourself

Four real-world scenarios, then six knowledge questions. See how prepared you would be under pressure.

Scenario simulation

  1. An employee gets an email that looks like it is from IT, asking them to log into the VPN portal through a link to verify their account before a deadline today.

    What should they do?

    • Click the link and log in quickly, since the deadline sounds urgent
    • Go to the VPN portal directly using the known address, not the link, and check with IT separately
    • Ignore the email and tell no one
  2. A key supplier that manages one of your critical systems announces it has been hit by ransomware through one of its own software providers. Your own systems have not been directly breached.

    What is the most important first step?

    • Assume you are safe since the breach was not on your own network
    • Treat it as a business continuity event straight away, contact the supplier for specifics and activate any manual fallback processes
    • Wait for the supplier’s next public statement before doing anything
  3. A vulnerability in your organisation’s VPN appliance was patched by the vendor four months ago, but the update was never applied because the system was working fine.

    What does this guide’s evidence suggest happens next?

    • Nothing, since unpatched systems are rarely actually exploited
    • It becomes one of the most likely routes a ransomware affiliate will use to get in
    • It only matters if the organisation is a large, high-profile target
  4. Your organisation is hit by ransomware. Systems are encrypted, and attackers claim to have stolen sensitive data too, threatening to publish it unless a ransom is paid within 48 hours.

    What should guide the response?

    • Pay quickly to make the deadline and stop the leak
    • Follow the rehearsed incident response plan, involve legal counsel, insurers and law enforcement, and treat it as a data breach requiring regulatory notification
    • Handle it entirely internally to avoid reputational damage

Knowledge test

  1. What best describes double extortion?

    • Encrypting files twice for extra security
    • Encrypting data and also stealing it to threaten a public leak
    • Demanding two separate ransom currencies
    • Attacking two organisations at once

    Double extortion combines encryption with data theft, so even a full backup restore does not remove the threat of a leak.

  2. Roughly what share of ransomware victims paid in 2025, according to Chainalysis?

    • 28 percent, an all-time low
    • 68 percent
    • 95 percent
    • It is impossible to estimate

    Chainalysis recorded a 28 percent payment rate in 2025, the lowest share on record, even as claimed attacks rose by about half.

  3. What made Qilin the world’s most active ransomware group through 2025?

    • It was the only group still operating
    • It absorbed affiliates displaced when rivals such as LockBit and RansomHub were disrupted or collapsed
    • It only targets very large organisations
    • Government sanctions forced all other groups to merge into it

    Qilin grew quickly by recruiting affiliates left without infrastructure once LockBit, ALPHV/BlackCat and RansomHub were disrupted or collapsed.

  4. What vulnerability class was behind both the WannaCry and Tietoevry attacks described in this guide?

    • A brand-new, unpatched zero-day flaw in both cases
    • A known flaw that already had a vendor patch available before the attack
    • A weak password shared across all accounts
    • A malicious insider in both organisations

    Both attacks exploited flaws that vendors had already patched months earlier. The gap was in applying the update, not in the existence of a fix.

  5. Under Cybersäkerhetslagen, how quickly must an early warning reach MCF after a covered organisation discovers an incident?

    • 24 hours
    • 72 hours
    • One week
    • One month

    The reporting cascade starts with a 24-hour early warning, followed by a 72-hour full notification and a one-month final report.

  6. Which of these is a documented ransomware case involving a Swedish organisation?

    • Colonial Pipeline
    • Miljödata
    • SolarWinds
    • Change Healthcare

    Miljödata, an HR software supplier used by around 80 percent of Swedish municipalities, was hit by ransomware in August 2025, disrupting around 200 municipalities.

Why Training Matters

Most of the cases in this guide began the same way: a person clicked a link, entered credentials on a fake page or missed a warning sign that, with training, would have stood out immediately. Phishing remains behind roughly six in ten intrusions, which makes staff awareness one of the highest-return controls available, not a box-ticking exercise. Regular, realistic training, including simulated phishing and a clear process for reporting suspicious activity without fear of blame, closes a gap that technology alone cannot.

Frequently Asked Questions

What is ransomware?

Ransomware is malware that blocks access to an organisation’s systems or data, usually through encryption, until a ransom is paid. Most modern attacks also steal the data first and threaten to leak it, a tactic called double extortion, so recovery increasingly means containing a data breach as well as restoring access.

What is ransomware-as-a-service?

Ransomware-as-a-service, or RaaS, is a business model where a core group develops ransomware and its supporting infrastructure, then leases it to affiliates who carry out the actual attacks. The affiliate usually keeps the majority of any ransom paid, commonly 70 to 85 percent, while the core group takes the remainder for providing the tooling.

What is Qilin ransomware?

Qilin is a ransomware-as-a-service operation, first seen in 2022 under the name Agenda, that became the world’s most active ransomware group through 2025. It uses double extortion and was behind the June 2024 attack on Synnovis, an NHS pathology provider, which the UK health service later linked to a patient’s death.

What was the WannaCry ransomware attack?

WannaCry was a global ransomware attack on 12 May 2017 that spread to more than 200,000 computers in over 150 countries within days, using a Windows flaw called EternalBlue. Microsoft had released a patch for the flaw two months earlier, so the outbreak mainly hit organisations, including large parts of the UK NHS, that had not yet applied it.

What are the main types of ransomware?

The two basic types are crypto ransomware, which encrypts files, and locker ransomware, which locks the whole device instead. Most active groups now layer double extortion on top of either type, stealing data before encryption and threatening to leak it, and some skip encryption altogether and rely on stolen data alone as leverage.

Should an organisation pay a ransomware ransom?

Law enforcement agencies including the FBI and CISA advise against paying, since payment does not guarantee working decryption and can mark an organisation as willing to pay again. In practice the decision is rarely simple, and it belongs with legal counsel, insurers and law enforcement rather than being made alone under deadline pressure.

Does Cybersäkerhetslagen require reporting a ransomware attack in Sweden?

Yes. Cybersäkerhetslagen, Sweden’s implementation of the EU’s NIS2 directive, requires covered organisations to send an early warning to MCF and the relevant sector authority within 24 hours of discovering an incident, a full notification within 72 hours and a final report within one month.

How does ransomware usually get into a network?

Most ransomware intrusions start with phishing emails or an exploited software vulnerability, together accounting for the large majority of cases tracked by the EU cybersecurity agency ENISA. Compromised remote access credentials and unpatched VPN appliances are also common routes in, especially once initial access brokers make stolen access easy to buy.

Get a 30-Minute Security Briefing. No Pitch Deck.

Talk to a Sweden-based analyst. We'll review your posture, map your NIS2 gaps, and give you a clear picture of where you stand, in plain language.

Book a Free Briefing
No commitment Sweden-based analyst

How eBuilder Security Can Help

Awareness is the first layer. These are the services that turn it into measurable protection.