Ransomware crooks knock Swedish municipalities offline for measly sum of $168K
(2025/08/28)
- Reference: 1756384745
- News link: https://www.theregister.co.uk/2025/08/28/sweden_council_ransomware/
- Source link:
Sweden's municipal governments have been knocked offline after ransomware crooks hit IT supplier Miljödata, reportedly demanding the bargain-basement sum of $168,000.
Miljödata runs HR, sick leave, and incident reporting systems for approximately 80 percent of Sweden's municipalities, making it a juicy single point of failure. Over the weekend, those systems went dark, leaving councils from Gotland and Halland to Karlstad and Skellefteå unable to access key services.
Miljödata CEO Erik Hallén [1]confirmed on August 25 that the disruption was the result of a cyberattack, stating that the intrusion had affected 200 of Sweden's 290 municipalities, while local cosp have confirmed that the attackers responsible had demanded, er, 1.5 Bitcoin to keep the data under wraps.
[2]
If the price tag sounds oddly low, that's because it is. At current exchange rates, 1.5 BTC amounts to roughly $168,000, a fraction of the multimillion-dollar sums typically associated with big-ticket ransomware campaigns. Hospitals, energy firms, and even city transport systems have faced extortion notes ten times higher. Whoever is behind this one seems to be thinking small, either because they don't know what they've got or they're hoping the modest ask will increase the chances of someone quietly paying up.
[3]
[4]
Local media outlets report that sensitive data may already have been accessed, and the Gotland region [5]warned that the attack "may have resulted in sensitive personal data being leaked." Precisely what information is at risk remains unclear, though Gotland states that it uses the software for handling employee data, including medical certificates, rehabilitation plans, and work-related injuries.
[6]Crims laud Claude to plant ransomware and fake IT expertise
[7]The intruder is in the house: Storm-0501 attacked Azure, stole data, demanded payment via Teams
[8]Who are you again? Infosec experiencing 'Identity crisis' amid rising login attacks
[9]First AI-powered ransomware spotted, but it's not active – yet
Miljödata, for its part, says there is "no evidence to suggest" that data has been stolen, according to [10]one university that uses the company's software .
What is clear is the widespread disruption. Councils have admitted that staff have been locked out of Miljödata's platforms, while police and Sweden's CERT-SE have been called in to deal with the issue.
Sweden's Minister for Civil Defence, Carl-Oskar Bohlin, has tried to calm nerves, [11]saying it is too early to assess the full consequences. He also took the opportunity to trail new cybersecurity legislation, promising stricter rules and more oversight once Parliament gets around to it.
[12]
The incident underscores the fragility of centralized IT suppliers. By funneling so many municipalities through a single provider, Sweden has inadvertently created a fat target for opportunistic ransomware groups. Miljödata's woes are only the latest in a string of supply chain-style hits that ripple out far beyond the initial victim.
Whether anyone pays the ransom remains an open question. For now, Swedish councils are learning the hard way that sometimes it doesn't take a multimillion-dollar extortion note to cause chaos. Sometimes all it takes is 1.5 BTC. ®
Get our [13]Tech Resources
[1] https://www.blt.se/karlskrona/cyberattack-mot-karlskronaforetag-utpressas-pa-pengar/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLB9G4c6XxRy2hSBY0tNvgAAAME&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLB9G4c6XxRy2hSBY0tNvgAAAME&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLB9G4c6XxRy2hSBY0tNvgAAAME&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://gotland.se/arkiv/nyheter/allmant/2025-08-26-region-gotlands-leverantor-av-arbetsmiljosystem-ar-utsatta-for-cyberangrepp
[6] https://www.theregister.com/2025/08/27/anthropic_security_report_flags_rogue/
[7] https://www.theregister.com/2025/08/27/storm0501_ransomware_azure_teams/
[8] https://www.theregister.com/2025/08/27/ciscos_duo_identity_crisis/
[9] https://www.theregister.com/2025/08/26/first_aipowered_ransomware_spotted_by/
[10] https://www.oru.se/english/news/miljodata-no-evidence-of-personal-data-leaks-after-cyberattack/
[11] https://x.com/CarlOskar/status/1960358157965734144
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLB9G4c6XxRy2hSBY0tNvgAAAME&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Miljödata runs HR, sick leave, and incident reporting systems for approximately 80 percent of Sweden's municipalities, making it a juicy single point of failure. Over the weekend, those systems went dark, leaving councils from Gotland and Halland to Karlstad and Skellefteå unable to access key services.
Miljödata CEO Erik Hallén [1]confirmed on August 25 that the disruption was the result of a cyberattack, stating that the intrusion had affected 200 of Sweden's 290 municipalities, while local cosp have confirmed that the attackers responsible had demanded, er, 1.5 Bitcoin to keep the data under wraps.
[2]
If the price tag sounds oddly low, that's because it is. At current exchange rates, 1.5 BTC amounts to roughly $168,000, a fraction of the multimillion-dollar sums typically associated with big-ticket ransomware campaigns. Hospitals, energy firms, and even city transport systems have faced extortion notes ten times higher. Whoever is behind this one seems to be thinking small, either because they don't know what they've got or they're hoping the modest ask will increase the chances of someone quietly paying up.
[3]
[4]
Local media outlets report that sensitive data may already have been accessed, and the Gotland region [5]warned that the attack "may have resulted in sensitive personal data being leaked." Precisely what information is at risk remains unclear, though Gotland states that it uses the software for handling employee data, including medical certificates, rehabilitation plans, and work-related injuries.
[6]Crims laud Claude to plant ransomware and fake IT expertise
[7]The intruder is in the house: Storm-0501 attacked Azure, stole data, demanded payment via Teams
[8]Who are you again? Infosec experiencing 'Identity crisis' amid rising login attacks
[9]First AI-powered ransomware spotted, but it's not active – yet
Miljödata, for its part, says there is "no evidence to suggest" that data has been stolen, according to [10]one university that uses the company's software .
What is clear is the widespread disruption. Councils have admitted that staff have been locked out of Miljödata's platforms, while police and Sweden's CERT-SE have been called in to deal with the issue.
Sweden's Minister for Civil Defence, Carl-Oskar Bohlin, has tried to calm nerves, [11]saying it is too early to assess the full consequences. He also took the opportunity to trail new cybersecurity legislation, promising stricter rules and more oversight once Parliament gets around to it.
[12]
The incident underscores the fragility of centralized IT suppliers. By funneling so many municipalities through a single provider, Sweden has inadvertently created a fat target for opportunistic ransomware groups. Miljödata's woes are only the latest in a string of supply chain-style hits that ripple out far beyond the initial victim.
Whether anyone pays the ransom remains an open question. For now, Swedish councils are learning the hard way that sometimes it doesn't take a multimillion-dollar extortion note to cause chaos. Sometimes all it takes is 1.5 BTC. ®
Get our [13]Tech Resources
[1] https://www.blt.se/karlskrona/cyberattack-mot-karlskronaforetag-utpressas-pa-pengar/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLB9G4c6XxRy2hSBY0tNvgAAAME&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLB9G4c6XxRy2hSBY0tNvgAAAME&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLB9G4c6XxRy2hSBY0tNvgAAAME&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://gotland.se/arkiv/nyheter/allmant/2025-08-26-region-gotlands-leverantor-av-arbetsmiljosystem-ar-utsatta-for-cyberangrepp
[6] https://www.theregister.com/2025/08/27/anthropic_security_report_flags_rogue/
[7] https://www.theregister.com/2025/08/27/storm0501_ransomware_azure_teams/
[8] https://www.theregister.com/2025/08/27/ciscos_duo_identity_crisis/
[9] https://www.theregister.com/2025/08/26/first_aipowered_ransomware_spotted_by/
[10] https://www.oru.se/english/news/miljodata-no-evidence-of-personal-data-leaks-after-cyberattack/
[11] https://x.com/CarlOskar/status/1960358157965734144
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLB9G4c6XxRy2hSBY0tNvgAAAME&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Past time to ban paying ransom
VicMortimer
There should NOT be a question if ransom should be paid.
It should be a crime to pay.
The only way ransomware is ever going to be stopped is if the profit motive is removed. And that cannot be done solely by going after the crooks, there has to be a mechanism for preventing payment.
Paying ransom should result in actual jail time, in the case of a company for the CEO, in the case of a city for whatever politician authorized payment.
Local security professional with more insight.
Full disclosure: Cybersec professional from Sweden speaking here
1. Communities have not been "knocked offline". It is the sick leave system for employees that has been affected. The rest of their IT systems are in the normal state of (dys)functionality.
2. It's not just communities. 80% of them use the system, but it is also used by many Universities, other government organizations and (large) corporations. It has not been published, but it is likely hundreds of thousands of Swedes could be in these systems, not just local government employees.
3. The sick leave system contains Personal Identifiable Information including medical details. In Sweden a "doctors note" is required for sick leave after 10 days. These notes contain the current medical situation including chronic conditions that may be contributing to the sick leave. This is the data that is attacked and possibly stolen.
4. There is very little that is published, probably for good reason. The ransom actor apparently claims that they did copy the data before encryption (if the systems were encrypted). Miljödata says they have no reason to believe that attackers stole it, but the fact that the attackers claim so should be "a" reason to believe it is possible that it happened, since the attackers clearly did manage to do something to the Miljödata systems and they have not been taken offline purely because of bluff.
5. The IT systems are being built back from scratch and data is being restored. The last number published was that for 76 customers, there was a chance of some level of data loss (probably because backups were not representative of the latest state of data). The systems are expected to be accessible for customers again before Friday Aug 29 EOB.
If Miljödata will get away with this or not is unclear at this point. Maybe the data was only trashed and nothing got stolen. Maybe the entry path was obvious (some employee using the same password on a website and using their work email account, making it painfully easy for attackers to get access to the production environment, because MFA was not used, or a similar shameful amount of security implemented). Or... attackers will once again trash the systems? Maybe the attackers will start publishing stolen data, revealing medical records for many Swedes, just to make sure that they get the money for not publishing the rest? Who knows? Wat I do know is that many Swedes feel uneasy with the uncertainty that maybe Miljödata is gambling with their medical records and angry that this system was not protected properly.