Estimating the number of ransomware attacks
Estimating the number of ransomware attacks
Objectives: this study aims to estimate the prevalence and reporting rates of ransomware attacks against businesses in the Netherlands. We evaluate the extent of underreporting and compare our estimates to those from national victimization surveys, focusing on differences by company size.
Methods: we use capture-recapture methodology to estimate ransomware prevalence from 2019 to 2023. The analysis combines three data sources: police reports, data from incident response companies, and data from leak sites used by ransomware groups. Estimates are produced separately for large, medium, and small companies. We also calculate annual victimization risks and reporting proportions for each size category.
Results: we estimate that large companies were victimized by ransomware 138 times over four years, with medium and small companies experiencing 219 and 2,373 attacks respectively. The estimate for small companies appears inflated and is judged unreliable. The average annual risk of victimization is 1.3% for large companies and 0.6% for medium companies. Only 41.4% of large-company attacks and 40.2% of medium-company attacks were reported to the police, indicating substantial underreporting. However, these reporting rates exceed those observed for other cybercrime types. Our estimates closely align with results from the Dutch Cybersecurity Monitor.
Conclusions: crime-specific data and statistical estimation methods can provide robust insights into ransomware prevalence and reporting behavior. While findings for large and medium businesses appear reliable, further research is needed to improve estimates for small companies. The results underscore the importance of complementary data sources for measuring cybercrime and informing policy and practice.
Capture-recapture methodology, Cybercrime, Measurement, Police, Ransomware, Victimization surveys
Meurs, Tom
a17f84b9-d938-4dac-bcaa-34c6d11b7838
Junger, Marianne
f58ddb1a-a907-4d25-acde-84823a8d346c
Cruyff, Maarten
68bcfa19-3d85-4b0f-a6a4-6e148b265f19
van der Heijden, Peter G.M.
85157917-3b33-4683-81be-713f987fd612
Meurs, Tom
a17f84b9-d938-4dac-bcaa-34c6d11b7838
Junger, Marianne
f58ddb1a-a907-4d25-acde-84823a8d346c
Cruyff, Maarten
68bcfa19-3d85-4b0f-a6a4-6e148b265f19
van der Heijden, Peter G.M.
85157917-3b33-4683-81be-713f987fd612
Meurs, Tom, Junger, Marianne, Cruyff, Maarten and van der Heijden, Peter G.M.
(2025)
Estimating the number of ransomware attacks.
Journal of Quantitative Criminology.
(doi:10.1007/s10940-025-09625-7).
Abstract
Objectives: this study aims to estimate the prevalence and reporting rates of ransomware attacks against businesses in the Netherlands. We evaluate the extent of underreporting and compare our estimates to those from national victimization surveys, focusing on differences by company size.
Methods: we use capture-recapture methodology to estimate ransomware prevalence from 2019 to 2023. The analysis combines three data sources: police reports, data from incident response companies, and data from leak sites used by ransomware groups. Estimates are produced separately for large, medium, and small companies. We also calculate annual victimization risks and reporting proportions for each size category.
Results: we estimate that large companies were victimized by ransomware 138 times over four years, with medium and small companies experiencing 219 and 2,373 attacks respectively. The estimate for small companies appears inflated and is judged unreliable. The average annual risk of victimization is 1.3% for large companies and 0.6% for medium companies. Only 41.4% of large-company attacks and 40.2% of medium-company attacks were reported to the police, indicating substantial underreporting. However, these reporting rates exceed those observed for other cybercrime types. Our estimates closely align with results from the Dutch Cybersecurity Monitor.
Conclusions: crime-specific data and statistical estimation methods can provide robust insights into ransomware prevalence and reporting behavior. While findings for large and medium businesses appear reliable, further research is needed to improve estimates for small companies. The results underscore the importance of complementary data sources for measuring cybercrime and informing policy and practice.
Text
Meurs et al. 2025 s10940-025-09625-7
- Version of Record
More information
Accepted/In Press date: 15 July 2025
e-pub ahead of print date: 29 July 2025
Keywords:
Capture-recapture methodology, Cybercrime, Measurement, Police, Ransomware, Victimization surveys
Identifiers
Local EPrints ID: 506024
URI: http://eprints.soton.ac.uk/id/eprint/506024
ISSN: 0748-4518
PURE UUID: d07d96d0-ee44-464a-84a8-c5393a4cab8c
Catalogue record
Date deposited: 27 Oct 2025 18:05
Last modified: 28 Oct 2025 02:44
Export record
Altmetrics
Contributors
Author:
Tom Meurs
Author:
Marianne Junger
Author:
Maarten Cruyff
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics
