What Is Ransomware?
Ransomware is malicious software that locks an organisation out of its own systems and data, usually by encrypting files, so criminals can demand payment for restoring access. Most modern attacks also steal the data first and threaten to publish it, turning one intrusion into both an outage and a data breach.
It is the most consequential cyber threat facing European organisations right now. ENISA, the EU’s cybersecurity agency, again names ransomware the most impactful threat in its 2025 Threat Landscape and notes that it hits municipalities particularly hard. The volume is moving the wrong way too. Blockchain analysts at Chainalysis counted a record number of claimed attacks in 2025, up 50% on the year before, even as the share of victims who paid fell to 28%, the lowest ever recorded. Criminals are hitting more organisations to earn less, which means more organisations are getting hit.
Sweden has felt this directly. One attack on a single HR supplier, Miljödata, disrupted roughly 200 of the country’s 290 municipalities in August 2025. Eighteen months earlier the Tietoevry attack knocked out payroll for much of the state sector. Ransomware is not a theoretical risk here, it is a recurring national event.
This guide explains how a ransomware attack actually unfolds, the types you will meet, what attacks cost, the Swedish and international cases worth learning from, what the law now requires and the controls that reliably stop attacks. No drama and no jargon, just what a decision maker needs to know.
How a Ransomware Attack Works
A ransomware attack is not a single event. It is a short project run inside your network, and every stage of that project is now a commodity criminals can buy.
1. Getting in. ENISA’s 2025 data puts phishing at about 60% of observed intrusions and exploitation of software vulnerabilities at 21%. The third door is stolen credentials, typically a VPN, remote desktop or email account without multifactor authentication. Specialist criminals called initial access brokers sell ready-made footholds, and Chainalysis reports the average price of access to a victim network fell from $1,427 in early 2023 to $439 by the start of 2026. Getting in has never been cheaper.
2. Moving and preparing. Once inside, operators escalate their privileges and spread using the same legitimate tools your administrators use, a technique called living off the land that ENISA highlights precisely because it slips past traditional antivirus. They map the network, find the systems that hurt most when they stop and locate your backups.
3. Killing your recovery. Before anything is encrypted, attackers disable security tooling, delete Windows shadow copies and try to wipe or encrypt every backup they can reach. The FBI notes that the Akira group specifically targets backup systems so victims feel they have no option but to pay.
4. Stealing the data. Modern crews exfiltrate before they encrypt, using ordinary tools such as WinRAR and RClone to package and move the files. Speed is the point. In some intrusions documented by the FBI, Akira moved from initial access to data theft in just over two hours.
5. Encryption and extortion. Only then does the ransomware itself run, encrypting files across servers and endpoints and dropping a note that points to a negotiation site on the Tor network. Refuse to engage and your name appears on a leak site, with stolen data published in stages to raise the pressure. Some crews phone executives and employees directly.
Why has this become so easy? Because it is organised as an industry. Access brokers sell the way in, ransomware-as-a-service operators rent out the malware and the leak site, and affiliates run the attacks. Each layer profits and no single arrest stops the machine.
Types of Ransomware Attack
Ransomware is a family of business models rather than one piece of malware. These are the types that matter and what each one enables.
Crypto ransomware. The classic form. Files are encrypted and payment is demanded for the key. WannaCry, the 2017 worm that infected around 200,000 computers in 150 countries according to Europol, remains the best-known example, and it added a twist by spreading itself between vulnerable machines with no human help.
Locker ransomware. Locks the screen or device rather than encrypting the files underneath. It is cruder and easier to recover from, and today it survives mostly in attacks on consumers and mobile devices.
Double extortion. The default model since about 2020. Data is stolen before encryption, so even a victim with perfect backups can be blackmailed with publication. Qilin and Akira, the two most reported strains in the FBI’s 2025 figures, both operate this way.
Multi-extortion. Some crews layer on further pressure, from denial-of-service attacks to phone calls to executives. In 2023 the ALPHV gang even reported its own victim to the US Securities and Exchange Commission for failing to disclose the breach quickly enough.
Ransomware as a service. The engine of the whole economy. Developers lease the malware, the leak site and the payment infrastructure to affiliates, who run the attacks and keep most of the money. Court documents from the US Department of Justice describe LockBit affiliates keeping roughly 80% of each ransom. The model scales frighteningly well. The FBI identified 63 new ransomware variants in 2025 alone, and when police disrupt one brand its affiliates simply migrate to the next.
Data-theft extortion without encryption. Some campaigns skip encryption entirely and extort purely on stolen data, a pattern seen in mass exploitation of file transfer software. It is quieter and faster for the attacker, and it defeats every backup you own.
Wipers dressed as ransomware. NotPetya in 2017 looked like ransomware but was built to destroy, and no payment could recover the data. Western governments attributed it to the Russian military. Treat any ransom note as a possible cover for pure sabotage.
The Business Impact of Ransomware
The ransom is usually the smallest number on the invoice. The real cost arrives through five mechanisms, and each one is measurable.
Downtime. Coop closed around 800 supermarkets for days in 2021 because its checkout supplier was hit. Tietoevry’s Swedish customers, from payroll to cinema ticketing, faced outages that the civil defence minister warned could last weeks. Every hour of that is lost revenue, idle staff and overtime.
Recovery and rebuild. Restoration is expensive even when no ransom is paid. The UK Department of Health and Social Care put the NHS cost of WannaCry at £92 million, of which £72 million was IT restoration after the event. Synnovis has put the direct cost of its 2024 attack at more than £32 million in its company accounts.
The ransom itself. Chainalysis tracked about $820 million in payments to ransomware groups in 2025. The median payment jumped to nearly $60,000, and the large outliers run to tens of millions.
Data breach liability. When data is stolen the costs continue for years. The 2024 Change Healthcare attack ended with 192.7 million people notified, the largest healthcare data breach ever recorded in the US, and UnitedHealth Group booked more than $2.4 billion in attack-related costs within the year.
Regulatory exposure. NIS2, in force in Sweden as Cybersäkerhetslagen, allows fines of up to €10 million or 2% of global turnover for essential entities, and failures in incident reporting are themselves sanctionable.
Sometimes the cost is not financial at all. King’s College Hospital confirmed in 2025 that delays caused by the Synnovis attack contributed to a patient’s death.
One caution when you read statistics. The FBI’s Internet Crime Complaint Center logged only $32 million in reported ransomware losses for 2025, and says itself that the figure excludes downtime, lost business and remediation. Judge the risk by the cases, not by that line item.
Real-World Ransomware Cases
Every control on a security roadmap exists because somewhere its absence cost someone millions. These six cases carry the whole curriculum.
WannaCry, May 2017. A self-spreading worm infected around 200,000 computers in 150 countries within days, according to Europol. In the UK it disrupted more than 80 NHS trusts, cancelled about 19,000 appointments and cost the health service £92 million. The Windows flaw it exploited had been patched by Microsoft two months earlier. The control: patch known exploited vulnerabilities within days rather than months, and retire systems that can no longer be patched.
Coop and the Kaseya supply chain, July 2021. The REvil gang compromised Kaseya, an IT management platform, and pushed ransomware through it to as many as 1,500 downstream businesses. Coop was not even a Kaseya customer, but its checkout supplier was, and about 800 Swedish supermarkets closed for days while REvil demanded $70 million for a universal decryptor. Coop rebuilt instead. The control: know which suppliers can stop your business, write security duties into their contracts and keep a manual fallback for the processes that must not stop.
Tietoevry and Akira, January 2024. During the night of 19 to 20 January, Akira encrypted virtualisation servers in one of Tietoevry’s Swedish datacentres. Primula, the payroll system used by most Swedish universities and more than 30 government authorities, went down, along with Filmstaden’s ticket sales and retailers such as Rusta and Granngården. Sweden’s civil defence minister warned that recovery could take weeks. Finland’s national cybersecurity centre had already reported that the Akira wave was getting in through VPN devices with an unpatched flaw and no multifactor authentication. The control: MFA on every remote access path and a patched perimeter. The same group has since claimed about $244 million in ransomware proceeds, according to the FBI and CISA.
Synnovis and Qilin, June 2024. A Qilin attack on Synnovis, the pathology provider for several London NHS trusts, postponed more than 10,000 outpatient appointments and 1,700 planned procedures, according to NHS England. The attackers demanded a reported $50 million. Synnovis refused, and around 400GB of stolen patient data was published. In 2025 King’s College Hospital confirmed that the disruption contributed to one patient’s death. Investigators never established how the attackers got in, which is a lesson in itself. The control: for services that cannot stop, segmentation, rehearsed manual procedures and tested continuity plans are the difference between disruption and disaster.
Miljödata, August 2025. One ransomware attack on a single HR software supplier disrupted roughly 200 of Sweden’s 290 municipalities and several regions, taking down the systems used for medical certificates, rehabilitation cases and work injury reports. The attackers demanded 1.5 bitcoin. When no ransom was paid the stolen data was published, and Lund University alone confirmed that records on about 16,000 current and former employees were exposed. The control: concentration risk is a security risk. Map the suppliers that hold your people’s data, put security and incident duties into the contracts and be ready to run the essential processes without them.
Change Healthcare, February 2024. The largest healthcare data breach on record began with stolen credentials used on a remote access portal that had no multifactor authentication, as UnitedHealth Group’s chief executive told the US Senate. The company paid $22 million. The criminals took the money, a partner crew demanded a second payment anyway and 192.7 million people were ultimately notified that their data was exposed. The control: MFA on every remote entry point, and clarity before any crisis that payment buys nothing you can rely on.
Ransomware and Compliance
A ransomware incident in Sweden now starts two legal clocks at once, and the duties belong to the board, not the helpdesk.
NIS2 and Cybersäkerhetslagen. Sweden’s cybersecurity law, Cybersäkerhetslagen (SFS 2025:1506), came into force on 15 January 2026 and transposes the EU’s NIS2 directive. If your organisation is an essential or important entity, a significant ransomware incident must be reported in a fixed cascade: an early warning to MCF (formerly MSB) and your sector authority within 24 hours, a full notification within 72 hours and a final report within one month. Article 21 also prescribes the preventive measures regulators will ask about after an attack, including continuous monitoring, incident handling, business continuity and backups, supply chain security and security awareness training. Article 20 makes the management body responsible for approving and overseeing those measures, and board members can be held personally accountable. Fines reach €10 million or 2% of global turnover for essential entities and €7 million or 1.4% for important ones. Our guide to NIS2 in Sweden covers who is in scope and what to do about it.
GDPR. A ransomware attack is almost always a personal data breach under GDPR, even when nothing is proven stolen, because losing access to personal data counts as a breach of availability. Article 33 requires notification to IMY, the Swedish data protection authority, within 72 hours, and affected individuals may need to be informed as well. After Miljödata, employers across Sweden faced exactly this duty for data held at a supplier. See our guide to GDPR compliance in Sweden.
DORA. Financial entities carry a third layer. DORA, applicable since 17 January 2025 and supervised in Sweden by Finansinspektionen, requires an ICT incident management process under Article 17, with its own classification and reporting regime. Our DORA compliance guide covers the details.
One more legal note. Paying a ransom is legal in most cases but discouraged by Swedish police and European agencies, and a payment that reaches a sanctioned group can itself breach sanctions law. Decide your position on payment before an incident, at board level, and write it into the response plan.
How to Spot a Ransomware Attack
Encryption is the finale, not the attack. In the hours or days before it, an intruder leaves tracks, and people who know the tells can raise the alarm in time.
- Login approval requests you did not start, especially several in a row. Attackers with a stolen password bombard the phone hoping for one tired approval.
- Sign-ins at odd hours or from unfamiliar locations, and new accounts with administrator rights that nobody remembers creating.
- Security tools that switch off, throw errors or quietly disappear from machines.
- Windows shadow copies deleted, backup jobs failing or backup consoles behaving strangely.
- Unfamiliar archiving or transfer tools appearing where they do not belong, such as WinRAR or RClone, and unexplained spikes in outbound traffic. The FBI lists exactly these as Akira’s staging tools.
- A wave of convincing invoice, delivery or HR-themed emails hitting many colleagues at once.
Be honest about the limits. In intrusions documented by the FBI, Akira went from first access to stolen data in just over two hours, and much of the movement uses legitimate administrator tools that look like routine work. Spotting the signs is necessary but it is not a plan. Someone has to be watching around the clock with the authority to isolate a machine at 03:00, whether that is an internal team or a managed detection and response service.
And if the ransom note has already appeared: disconnect affected machines from the network, do not power them off, do not wipe anything and escalate immediately. Evidence and speed both matter now.
How to Defend Against Ransomware
No single product stops ransomware. What stops it is a small set of controls done properly across people, process and technology. The same short list appears in every advisory from CISA, ENISA and European police agencies because it keeps working.
People. Train every employee to recognise phishing and to report it in minutes, and make reporting blameless so people actually do it. Run phishing simulations so the first convincing lure your staff meet is not a real one. Give finance and HR extra practice, they receive the most targeted lures.
Process.
- Keep backups offline or immutable, and test a full restore at least quarterly. A backup you have never restored is a hope, not a control.
- Patch internet-facing systems and known exploited vulnerabilities within days. WannaCry and the Akira wave both rode flaws that already had patches available.
- Write an incident response plan that names who isolates systems, who decides, who calls MCF within 24 hours and who informs staff. Then rehearse it.
- Apply least privilege. Standard users should not be local administrators and service accounts should not roam the network.
- Treat critical suppliers as part of your attack surface, with contractual security duties, incident notification clauses and a manual fallback for what must not stop.
Technology.
- Turn on phishing-resistant multifactor authentication everywhere remote: VPN, email, administrator consoles and supplier portals. This one control would have blunted the Akira wave that hit Tietoevry and the Change Healthcare breach alike.
- Run endpoint detection and response on every endpoint and server, with someone able to respond around the clock.
- Segment the network so one compromised laptop cannot reach the backups, the domain controllers and the production systems in the same afternoon.
- Disable what you do not use: exposed remote desktop, legacy protocols and unused ports.
Start where the attackers start. If you do only one thing this quarter, put multifactor authentication on every remote login, then prove you can restore last week’s data from a backup an attacker could not have reached. Those two moves alone would have changed the ending of most of the cases in this guide.