DataCarry Ransomware Group Breaches Swedish IT Company Miljödata, Steals Confidential Data

A newly identified ransomware group reported breaching the internal network of Swedish IT firm Miljödata, exfiltrating confidential data from its database and compromising sensitive systems with potential operational and client impacts.

 

In August 2025, Swedish system supplier Miljödata suffered a major ransomware attack in which hackers infiltrated its network, stole sensitive data, and encrypted critical systems while demanding a ransom for decryption. Personal information was taken from Adato, a rehabilitation support system, and Novi, a system used for HR personnel notes.

 

The incident affected around 25 private companies—including major firms like Scandinavian airline SAS and metals company Boliden—as well as approximately 200 Swedish municipalities, including the capital, Stockholm.

 

One of the affected organisations, Lund University, reported that the threat actors accessed Adato and stole sensitive personal data of all current and former employees.

 

“Both current and former employees of Lund University are affected, with the latter group including those employed from 2008 onwards. According to Miljödata AB, the data stolen in the Adato rehabilitation service data breach was later published on the Darknet,” the University said.

 

Volvo North America also reported a similar attack after its IT provider, Miljödata, detected a network intrusion impacting critical systems.

 

On September 13, the relatively new DataCarry ransomware group claimed responsibility for the cyberattack on Miljödata, listing the organization on its data leak site. Following a failed ransom negotiation, the group published the stolen data on September 14.

 

The leaked data was added to Have I Been Pwned, revealing 870,000 unique email addresses, along with names, addresses, phone numbers, government IDs, dates of birth, and gender.

 

DataCarry is a newly identified ransomware and data extortion group, first observed in May 2025. Operating under a double-extortion model, the group exfiltrates sensitive data and threatens to publish it via a Tor-hosted leak site. Since its emergence, DataCarry has claimed victims across multiple industries—including insurance, healthcare, real estate, retail, and aerospace—in countries such as Latvia, Belgium, Türkiye, South Africa, Switzerland, Denmark, and the United Kingdom. Its swift rise and international reach point to a highly organised threat actor.