Estimating The Number Of Ransomware Attacks

Objectives: This study aims to estimate the prevalence and reporting rates of ransomware attacks against businesses in the Netherlands. We evaluate the extent of underreporting and compare our estimates to those from national victimization surveys, focusing on differences by company size.

Methods: We use capture-recapture methodology to estimate ransomware prevalence from 2019 to 2023. The analysis combines three data sources: police reports, data from incident response companies, and data from leak sites used by ransomware groups. Estimates are produced separately for large, medium, and small companies. We also calculate annual victimization risks and reporting proportions for each size category.

Results: We estimate that large companies were victimized by ransomware 138 times over four years, with medium and small companies experiencing 219 and 2,373 attacks respectively. The estimate for small companies appears inflated and is judged unreliable. The average annual risk of victimization is 1.3% for large companies and 0.6% for medium companies. Only 41.4% of large-company attacks and 40.2% of medium-company attacks were reported to the police, indicating substantial underreporting. However, these reporting rates exceed those observed for other cybercrime types. Our estimates closely align with results from the Dutch Cybersecurity Monitor.

Conclusions: Crime-specific data and statistical estimation methods can provide robust insights into ransomware prevalence and reporting behavior. While findings for large and medium businesses appear reliable, further research is needed to improve estimates for small companies. The results underscore the importance of complementary data sources for measuring cybercrime and informing policy and practice.