Threats & attacks

What Is Ransomware?

The business guide to ransomware: how attacks work, what they cost and the controls that stop them.

What is Ransomware
Key takeaways
  • Ransomware locks you out of your own systems and data for payment, and most attacks now steal the data first so one intrusion is both an outage and a data breach.
  • ENISA names ransomware the most impactful cyber threat in the EU in 2025 and notes it hits municipalities particularly hard.
  • Chainalysis tracked about $820 million in ransom payments in 2025. Only 28% of victims paid, a record low, yet claimed attacks rose 50% to an all-time high.
  • The FBI logged 3,611 ransomware complaints in 2025 and 63 new variants, with Akira and Qilin the most reported strains.
  • Akira alone has claimed about $244 million in proceeds according to the FBI and CISA, and has stolen data within roughly two hours of breaking in.
  • Attacks start with phishing in about 60% of cases and vulnerability exploitation in 21%, per ENISA, with remote access lacking MFA the recurring weakness.
  • Sweden’s exposure is proven: Coop closed about 800 stores in 2021, Tietoevry’s 2024 attack hit state payroll and Miljödata 2025 disrupted roughly 200 of 290 municipalities.
  • Paying is no exit. Change Healthcare paid $22 million in 2024 and its stolen data was used for a second extortion attempt anyway.
  • Cybersäkerhetslagen, in force since 15 January 2026, requires an early warning to MCF (formerly MSB) within 24 hours, and boards are personally accountable.
  • The defences that work: phishing-resistant MFA on all remote access, fast patching, offline tested backups, 24/7 detection and response and trained staff.

What Is Ransomware?

Ransomware is malicious software that locks an organisation out of its own systems and data, usually by encrypting files, so criminals can demand payment for restoring access. Most modern attacks also steal the data first and threaten to publish it, turning one intrusion into both an outage and a data breach.

It is the most consequential cyber threat facing European organisations right now. ENISA, the EU’s cybersecurity agency, again names ransomware the most impactful threat in its 2025 Threat Landscape and notes that it hits municipalities particularly hard. The volume is moving the wrong way too. Blockchain analysts at Chainalysis counted a record number of claimed attacks in 2025, up 50% on the year before, even as the share of victims who paid fell to 28%, the lowest ever recorded. Criminals are hitting more organisations to earn less, which means more organisations are getting hit.

Sweden has felt this directly. One attack on a single HR supplier, Miljödata, disrupted roughly 200 of the country’s 290 municipalities in August 2025. Eighteen months earlier the Tietoevry attack knocked out payroll for much of the state sector. Ransomware is not a theoretical risk here, it is a recurring national event.

This guide explains how a ransomware attack actually unfolds, the types you will meet, what attacks cost, the Swedish and international cases worth learning from, what the law now requires and the controls that reliably stop attacks. No drama and no jargon, just what a decision maker needs to know.

How a Ransomware Attack Works

A ransomware attack is not a single event. It is a short project run inside your network, and every stage of that project is now a commodity criminals can buy.

1. Getting in. ENISA’s 2025 data puts phishing at about 60% of observed intrusions and exploitation of software vulnerabilities at 21%. The third door is stolen credentials, typically a VPN, remote desktop or email account without multifactor authentication. Specialist criminals called initial access brokers sell ready-made footholds, and Chainalysis reports the average price of access to a victim network fell from $1,427 in early 2023 to $439 by the start of 2026. Getting in has never been cheaper.

2. Moving and preparing. Once inside, operators escalate their privileges and spread using the same legitimate tools your administrators use, a technique called living off the land that ENISA highlights precisely because it slips past traditional antivirus. They map the network, find the systems that hurt most when they stop and locate your backups.

3. Killing your recovery. Before anything is encrypted, attackers disable security tooling, delete Windows shadow copies and try to wipe or encrypt every backup they can reach. The FBI notes that the Akira group specifically targets backup systems so victims feel they have no option but to pay.

4. Stealing the data. Modern crews exfiltrate before they encrypt, using ordinary tools such as WinRAR and RClone to package and move the files. Speed is the point. In some intrusions documented by the FBI, Akira moved from initial access to data theft in just over two hours.

5. Encryption and extortion. Only then does the ransomware itself run, encrypting files across servers and endpoints and dropping a note that points to a negotiation site on the Tor network. Refuse to engage and your name appears on a leak site, with stolen data published in stages to raise the pressure. Some crews phone executives and employees directly.

Why has this become so easy? Because it is organised as an industry. Access brokers sell the way in, ransomware-as-a-service operators rent out the malware and the leak site, and affiliates run the attacks. Each layer profits and no single arrest stops the machine.

Types of Ransomware Attack

Ransomware is a family of business models rather than one piece of malware. These are the types that matter and what each one enables.

Crypto ransomware. The classic form. Files are encrypted and payment is demanded for the key. WannaCry, the 2017 worm that infected around 200,000 computers in 150 countries according to Europol, remains the best-known example, and it added a twist by spreading itself between vulnerable machines with no human help.

Locker ransomware. Locks the screen or device rather than encrypting the files underneath. It is cruder and easier to recover from, and today it survives mostly in attacks on consumers and mobile devices.

Double extortion. The default model since about 2020. Data is stolen before encryption, so even a victim with perfect backups can be blackmailed with publication. Qilin and Akira, the two most reported strains in the FBI’s 2025 figures, both operate this way.

Multi-extortion. Some crews layer on further pressure, from denial-of-service attacks to phone calls to executives. In 2023 the ALPHV gang even reported its own victim to the US Securities and Exchange Commission for failing to disclose the breach quickly enough.

Ransomware as a service. The engine of the whole economy. Developers lease the malware, the leak site and the payment infrastructure to affiliates, who run the attacks and keep most of the money. Court documents from the US Department of Justice describe LockBit affiliates keeping roughly 80% of each ransom. The model scales frighteningly well. The FBI identified 63 new ransomware variants in 2025 alone, and when police disrupt one brand its affiliates simply migrate to the next.

Data-theft extortion without encryption. Some campaigns skip encryption entirely and extort purely on stolen data, a pattern seen in mass exploitation of file transfer software. It is quieter and faster for the attacker, and it defeats every backup you own.

Wipers dressed as ransomware. NotPetya in 2017 looked like ransomware but was built to destroy, and no payment could recover the data. Western governments attributed it to the Russian military. Treat any ransom note as a possible cover for pure sabotage.

The Business Impact of Ransomware

The ransom is usually the smallest number on the invoice. The real cost arrives through five mechanisms, and each one is measurable.

Downtime. Coop closed around 800 supermarkets for days in 2021 because its checkout supplier was hit. Tietoevry’s Swedish customers, from payroll to cinema ticketing, faced outages that the civil defence minister warned could last weeks. Every hour of that is lost revenue, idle staff and overtime.

Recovery and rebuild. Restoration is expensive even when no ransom is paid. The UK Department of Health and Social Care put the NHS cost of WannaCry at £92 million, of which £72 million was IT restoration after the event. Synnovis has put the direct cost of its 2024 attack at more than £32 million in its company accounts.

The ransom itself. Chainalysis tracked about $820 million in payments to ransomware groups in 2025. The median payment jumped to nearly $60,000, and the large outliers run to tens of millions.

Data breach liability. When data is stolen the costs continue for years. The 2024 Change Healthcare attack ended with 192.7 million people notified, the largest healthcare data breach ever recorded in the US, and UnitedHealth Group booked more than $2.4 billion in attack-related costs within the year.

Regulatory exposure. NIS2, in force in Sweden as Cybersäkerhetslagen, allows fines of up to €10 million or 2% of global turnover for essential entities, and failures in incident reporting are themselves sanctionable.

Sometimes the cost is not financial at all. King’s College Hospital confirmed in 2025 that delays caused by the Synnovis attack contributed to a patient’s death.

One caution when you read statistics. The FBI’s Internet Crime Complaint Center logged only $32 million in reported ransomware losses for 2025, and says itself that the figure excludes downtime, lost business and remediation. Judge the risk by the cases, not by that line item.

Real-World Ransomware Cases

Every control on a security roadmap exists because somewhere its absence cost someone millions. These six cases carry the whole curriculum.

WannaCry, May 2017. A self-spreading worm infected around 200,000 computers in 150 countries within days, according to Europol. In the UK it disrupted more than 80 NHS trusts, cancelled about 19,000 appointments and cost the health service £92 million. The Windows flaw it exploited had been patched by Microsoft two months earlier. The control: patch known exploited vulnerabilities within days rather than months, and retire systems that can no longer be patched.

Coop and the Kaseya supply chain, July 2021. The REvil gang compromised Kaseya, an IT management platform, and pushed ransomware through it to as many as 1,500 downstream businesses. Coop was not even a Kaseya customer, but its checkout supplier was, and about 800 Swedish supermarkets closed for days while REvil demanded $70 million for a universal decryptor. Coop rebuilt instead. The control: know which suppliers can stop your business, write security duties into their contracts and keep a manual fallback for the processes that must not stop.

Tietoevry and Akira, January 2024. During the night of 19 to 20 January, Akira encrypted virtualisation servers in one of Tietoevry’s Swedish datacentres. Primula, the payroll system used by most Swedish universities and more than 30 government authorities, went down, along with Filmstaden’s ticket sales and retailers such as Rusta and Granngården. Sweden’s civil defence minister warned that recovery could take weeks. Finland’s national cybersecurity centre had already reported that the Akira wave was getting in through VPN devices with an unpatched flaw and no multifactor authentication. The control: MFA on every remote access path and a patched perimeter. The same group has since claimed about $244 million in ransomware proceeds, according to the FBI and CISA.

Synnovis and Qilin, June 2024. A Qilin attack on Synnovis, the pathology provider for several London NHS trusts, postponed more than 10,000 outpatient appointments and 1,700 planned procedures, according to NHS England. The attackers demanded a reported $50 million. Synnovis refused, and around 400GB of stolen patient data was published. In 2025 King’s College Hospital confirmed that the disruption contributed to one patient’s death. Investigators never established how the attackers got in, which is a lesson in itself. The control: for services that cannot stop, segmentation, rehearsed manual procedures and tested continuity plans are the difference between disruption and disaster.

Miljödata, August 2025. One ransomware attack on a single HR software supplier disrupted roughly 200 of Sweden’s 290 municipalities and several regions, taking down the systems used for medical certificates, rehabilitation cases and work injury reports. The attackers demanded 1.5 bitcoin. When no ransom was paid the stolen data was published, and Lund University alone confirmed that records on about 16,000 current and former employees were exposed. The control: concentration risk is a security risk. Map the suppliers that hold your people’s data, put security and incident duties into the contracts and be ready to run the essential processes without them.

Change Healthcare, February 2024. The largest healthcare data breach on record began with stolen credentials used on a remote access portal that had no multifactor authentication, as UnitedHealth Group’s chief executive told the US Senate. The company paid $22 million. The criminals took the money, a partner crew demanded a second payment anyway and 192.7 million people were ultimately notified that their data was exposed. The control: MFA on every remote entry point, and clarity before any crisis that payment buys nothing you can rely on.

Ransomware and Compliance

A ransomware incident in Sweden now starts two legal clocks at once, and the duties belong to the board, not the helpdesk.

NIS2 and Cybersäkerhetslagen. Sweden’s cybersecurity law, Cybersäkerhetslagen (SFS 2025:1506), came into force on 15 January 2026 and transposes the EU’s NIS2 directive. If your organisation is an essential or important entity, a significant ransomware incident must be reported in a fixed cascade: an early warning to MCF (formerly MSB) and your sector authority within 24 hours, a full notification within 72 hours and a final report within one month. Article 21 also prescribes the preventive measures regulators will ask about after an attack, including continuous monitoring, incident handling, business continuity and backups, supply chain security and security awareness training. Article 20 makes the management body responsible for approving and overseeing those measures, and board members can be held personally accountable. Fines reach €10 million or 2% of global turnover for essential entities and €7 million or 1.4% for important ones. Our guide to NIS2 in Sweden covers who is in scope and what to do about it.

GDPR. A ransomware attack is almost always a personal data breach under GDPR, even when nothing is proven stolen, because losing access to personal data counts as a breach of availability. Article 33 requires notification to IMY, the Swedish data protection authority, within 72 hours, and affected individuals may need to be informed as well. After Miljödata, employers across Sweden faced exactly this duty for data held at a supplier. See our guide to GDPR compliance in Sweden.

DORA. Financial entities carry a third layer. DORA, applicable since 17 January 2025 and supervised in Sweden by Finansinspektionen, requires an ICT incident management process under Article 17, with its own classification and reporting regime. Our DORA compliance guide covers the details.

One more legal note. Paying a ransom is legal in most cases but discouraged by Swedish police and European agencies, and a payment that reaches a sanctioned group can itself breach sanctions law. Decide your position on payment before an incident, at board level, and write it into the response plan.

How to Spot a Ransomware Attack

Encryption is the finale, not the attack. In the hours or days before it, an intruder leaves tracks, and people who know the tells can raise the alarm in time.

  • Login approval requests you did not start, especially several in a row. Attackers with a stolen password bombard the phone hoping for one tired approval.
  • Sign-ins at odd hours or from unfamiliar locations, and new accounts with administrator rights that nobody remembers creating.
  • Security tools that switch off, throw errors or quietly disappear from machines.
  • Windows shadow copies deleted, backup jobs failing or backup consoles behaving strangely.
  • Unfamiliar archiving or transfer tools appearing where they do not belong, such as WinRAR or RClone, and unexplained spikes in outbound traffic. The FBI lists exactly these as Akira’s staging tools.
  • A wave of convincing invoice, delivery or HR-themed emails hitting many colleagues at once.

Be honest about the limits. In intrusions documented by the FBI, Akira went from first access to stolen data in just over two hours, and much of the movement uses legitimate administrator tools that look like routine work. Spotting the signs is necessary but it is not a plan. Someone has to be watching around the clock with the authority to isolate a machine at 03:00, whether that is an internal team or a managed detection and response service.

And if the ransom note has already appeared: disconnect affected machines from the network, do not power them off, do not wipe anything and escalate immediately. Evidence and speed both matter now.

How to Defend Against Ransomware

No single product stops ransomware. What stops it is a small set of controls done properly across people, process and technology. The same short list appears in every advisory from CISA, ENISA and European police agencies because it keeps working.

People. Train every employee to recognise phishing and to report it in minutes, and make reporting blameless so people actually do it. Run phishing simulations so the first convincing lure your staff meet is not a real one. Give finance and HR extra practice, they receive the most targeted lures.

Process.

  • Keep backups offline or immutable, and test a full restore at least quarterly. A backup you have never restored is a hope, not a control.
  • Patch internet-facing systems and known exploited vulnerabilities within days. WannaCry and the Akira wave both rode flaws that already had patches available.
  • Write an incident response plan that names who isolates systems, who decides, who calls MCF within 24 hours and who informs staff. Then rehearse it.
  • Apply least privilege. Standard users should not be local administrators and service accounts should not roam the network.
  • Treat critical suppliers as part of your attack surface, with contractual security duties, incident notification clauses and a manual fallback for what must not stop.

Technology.

  • Turn on phishing-resistant multifactor authentication everywhere remote: VPN, email, administrator consoles and supplier portals. This one control would have blunted the Akira wave that hit Tietoevry and the Change Healthcare breach alike.
  • Run endpoint detection and response on every endpoint and server, with someone able to respond around the clock.
  • Segment the network so one compromised laptop cannot reach the backups, the domain controllers and the production systems in the same afternoon.
  • Disable what you do not use: exposed remote desktop, legacy protocols and unused ports.

Start where the attackers start. If you do only one thing this quarter, put multifactor authentication on every remote login, then prove you can restore last week’s data from a backup an attacker could not have reached. Those two moves alone would have changed the ending of most of the cases in this guide.

Myths & Facts

Myth

We are too small to be a ransomware target.

Paying the ransom ends the incident.

Our backups mean ransomware cannot hurt us.

Ransomware only arrives by email.

Ransomware is an IT problem.

Antivirus will catch ransomware in time.

Fact

The FBI and CISA note that Akira primarily targets small and medium-sized businesses, and Chainalysis recorded a 50% jump in claimed attacks in 2025 driven largely by that segment. Size is not a defence. Weak controls are the target.

Change Healthcare paid $22 million in 2024. The criminals kept the money, the stolen data was used for a second extortion attempt and 192.7 million people still had to be notified. The FBI warns that payment guarantees nothing.

Attackers hunt backups first. Akira deletes Windows shadow copies and targets backup systems before encrypting, and stolen data still leaks even after a perfect restore. Backups must be offline or immutable, tested and paired with controls against data theft.

Phishing leads at about 60% of intrusions, but the worst cases start elsewhere. The Akira wave that hit Tietoevry exploited VPNs without multifactor authentication, and Change Healthcare fell through a remote portal with no MFA. The perimeter matters as much as the inbox.

Under NIS2 and Cybersäkerhetslagen the management body approves and oversees security measures, and supervisors can hold board members personally accountable under Article 20. Downtime, reporting deadlines and fines are business risks, not server settings.

Modern operators move using legitimate administrator tools to blend in, and the FBI has seen Akira go from intrusion to data theft in about two hours. Prevention has to be paired with 24/7 detection and response, not signature scanning alone.

Test Yourself

Four real-world scenarios, then six knowledge questions. See how prepared you would be under pressure.

Scenario simulation

  1. An email that looks like it comes from a regular supplier asks you to open an attached invoice. The file asks you to enable macros to view the content.

    What do you do?

    • Enable macros, invoices from this supplier are routine
    • Do not enable anything, report the email to security and verify with the supplier through a known contact
    • Forward it to a colleague in finance to ask if it looks normal
  2. At 06:10 your phone receives three login approval requests in a row. You are not logging in to anything.

    What do you do?

    • Approve one so the notifications stop
    • Deny the requests, change your password and report it immediately
    • Ignore them and mention it at work next week
  3. Your organisation's HR system, run by an external supplier, suddenly goes offline. The supplier confirms a ransomware attack and says sensitive employee data may be affected.

    What is the right first move for your organisation?

    • Wait for the supplier to fix it, the incident is theirs
    • Activate your own incident and continuity plan, assess the data exposure and start the regulatory reporting clocks
    • Send a company-wide email speculating about what was stolen
  4. An administrator notices that Windows shadow copies were deleted on several servers overnight and an unfamiliar archiving tool is running.

    What do you do?

    • Assume routine housekeeping and check again after the weekend
    • Isolate the affected systems from the network, preserve evidence and escalate to incident response immediately
    • Reboot the servers to clear anything suspicious

Knowledge test

  1. What made the 2017 WannaCry outbreak possible?

    • A Windows flaw that Microsoft had already patched two months earlier
    • A brand-new vulnerability nobody could have known about
    • Weak email spam filters

    WannaCry spread through a Windows flaw patched in March 2017, two months before the outbreak, which is why rapid patching is the core lesson.

  2. According to ENISA's 2025 threat landscape, what is the most common way attackers get in?

    • Phishing
    • USB sticks
    • Guessing wifi passwords

    ENISA puts phishing at about 60% of observed intrusions, with vulnerability exploitation second at around 21%.

  3. Does paying a ransom guarantee you get your data back and keep it private?

    • Yes, criminals honour the deal to protect their reputation
    • No, decryption may fail and stolen data can still be leaked or resold

    Change Healthcare paid $22 million in 2024 and its stolen data was still used for a second extortion attempt.

  4. What does ransomware as a service mean?

    • A legal service that removes ransomware
    • Developers lease ransomware and infrastructure to affiliates who run attacks for a share of the ransom
    • A government notification scheme

    RaaS industrialised ransomware. Affiliates typically keep most of each payment, which keeps attack volumes high.

  5. Under Cybersäkerhetslagen, how quickly must a covered Swedish organisation send its early warning after a significant incident?

    • Within 24 hours
    • Within two weeks
    • Only when the investigation is complete

    The cascade is an early warning within 24 hours, a full notification within 72 hours and a final report within one month.

  6. Which backup approach actually holds up against modern ransomware?

    • Any backup on the same network as production
    • Offline or immutable copies that are tested with regular restore drills
    • Relying on Windows shadow copies

    Operators like Akira delete shadow copies and hunt reachable backups, so only offline or immutable, tested copies can be trusted.

Why Training Matters

Most ransomware attacks begin with something a person can catch: a phishing email, an unexpected login prompt, a request that feels slightly off. ENISA puts phishing at about 60% of intrusions, which makes trained, alert staff one of the highest-value controls an organisation has. Training is also a legal expectation. Article 21 of NIS2, carried into Swedish law by Cybersäkerhetslagen, lists security awareness training among the measures covered organisations must have in place. eBuilder Security runs Sweden-based security awareness training and phishing simulations that build exactly these habits, so your staff spot the attack in minutes rather than finding the ransom note in the morning.

Frequently Asked Questions

What is ransomware in simple terms?

Ransomware is malicious software that criminals use to lock your files or systems, then demand payment to restore access. Most attacks today also steal a copy of your data and threaten to publish it. That means one incident is both an outage and a data breach, which is why prevention and tested backups matter.

What is ransomware as a service?

Ransomware as a service, or RaaS, is a criminal business model where developers lease ransomware and infrastructure to affiliates who carry out attacks. Affiliates typically keep most of each ransom, around 80% in the LockBit case documented by the US Department of Justice. RaaS is why attack volumes keep rising.

How do ransomware attacks usually start?

Most ransomware attacks start with phishing, stolen credentials or an unpatched internet-facing system. ENISA's 2025 threat landscape puts phishing at about 60% of intrusions and vulnerability exploitation at 21%. Remote access without multifactor authentication is the recurring weakness, it opened the door at both Tietoevry and Change Healthcare.

Should you pay a ransomware demand?

Paying a ransom is strongly discouraged by police and security agencies across Europe and the US. Payment funds further crime, does not guarantee working decryption and does not stop stolen data being leaked. Change Healthcare paid $22 million in 2024 and its data was used for extortion again. Report the incident and follow your response plan instead.

What was the WannaCry ransomware attack?

WannaCry was a self-spreading ransomware worm that infected around 200,000 computers across 150 countries in May 2017, according to Europol. It exploited a Windows flaw Microsoft had patched two months earlier. The UK's NHS cancelled 19,000 appointments and put the cost at £92 million, making WannaCry the classic case for rapid patching.

Who is the Qilin ransomware group?

Qilin is a ransomware-as-a-service operation, active since 2022, that steals data before encrypting systems. It was one of the two most reported ransomware strains in the FBI's 2025 data, alongside Akira. Its 2024 attack on NHS pathology provider Synnovis postponed thousands of appointments and contributed to a patient's death.

What must Swedish organisations report after a ransomware attack?

Under Cybersäkerhetslagen, Sweden's NIS2 law in force since 15 January 2026, covered organisations must send an early warning to MCF (formerly MSB) and their sector authority within 24 hours, a full notification within 72 hours and a final report within one month. If personal data is affected, GDPR requires notifying IMY within 72 hours.

How long does ransomware recovery take?

Recovery from a serious ransomware attack usually takes weeks, and sometimes months. Sweden's civil defence minister warned that systems hit in the 2024 Tietoevry attack could be down for weeks, and Synnovis needed months to restore full pathology services. Tested offline backups and a rehearsed response plan are what shorten the timeline.

Get a 30-Minute Security Briefing. No Pitch Deck.

Talk to a Sweden-based analyst. We'll review your posture, map your NIS2 gaps, and give you a clear picture of where you stand, in plain language.

Book a Free Briefing
No commitment Sweden-based analyst

How eBuilder Security Can Help

Awareness is the first layer. These are the services that turn it into measurable protection.