Dutch police interventions successfully disrupt approximately half of the ransomware groups they target, according to PhD research at the University of Twente.
Conducted by Tom Meurs, who spent four years embedded with Dutch police cyber teams, the study revealed that even when criminals persist after intervention, they typically do so on a smaller scale, targeting fewer and less prominent victims.
The research offers rare insight into law enforcement effectiveness against ransomware. While public perception suggests that police have a limited impact on cyber crime, the findings demonstrate that targeted interventions yield measurable results when backed by systematic data collection.
Centralised data collection
The Dutch approach stands out internationally because of the systematic collection and centralisation of ransomware intelligence. Meurs spent six months compiling comprehensive data from police cases across the Netherlands, creating a unique intelligence position that few other countries have achieved.
“I’ve spoken with colleagues from Belgium, Luxembourg and Germany. The challenging thing about ransomware is that information is often scattered across different police systems,” said Meurs. “What makes us relatively unique in the Netherlands is dedicating PhD research to this issue and creating a more unified database of attacks.”
This centralised data collection offers multiple benefits. It helps build a stronger intelligence position on the relatively small number of criminal groups responsible for most attacks. When decryptors become available or other interventions besides arrests are possible, authorities can more easily identify victims who might benefit.
Intervention effectiveness
The research assessed five intervention strategies: arresting individuals connected to ransomware networks, imposing sanctions, making decryptors available, taking down leak sites, and freezing cryptocurrency assets.
Remarkably, these interventions show limited crime displacement, suggesting criminals often don’t simply switch to different methods after disruption. This aligns with rational choice theory, which suggests making criminal activities less attractive can reduce their occurrence.
“The data indicates that when you make criminal activities less profitable or more risky, you tend to see a reduction in those activities,” said Meurs. “The interventions I studied appear to affect ransomware operations in three ways: reducing profits, increasing the effort required to execute attacks, or raising the risk of detection.”
Measuring the problem’s scale
The research provides quantitative data on ransomware incidents in the Netherlands. For large businesses, the annual risk of a ransomware attack is estimated at 1.3%, while for medium-sized companies, it’s approximately 0.6%. The data suggests that only 40% of attacks on these organisations are detected.
The data indicates that when you make criminal activities less profitable or more risky, you tend to see a reduction in those activities Tom Meurs, University of Twente
The financial impact varies considerably, with the average attack costing victims about €514,000. Incidents involving data exfiltration – double extortion – show significantly higher costs, averaging €2.1m.
Particularly concerning is the situation for small businesses. Meurs’ research indicates they’re victimised more frequently in absolute terms, yet they’re less likely to report incidents to police, engage incident response firms, or appear on leak sites.
“Small businesses often find it difficult to approach the police because they think, ‘I’m a small company that’s been attacked, what will the police do for me?’” said Meurs. “Incident response companies are often very expensive, so they can’t afford that. And they rarely appear on leak sites because attackers primarily target larger companies to build their reputation.”
Backup complexities and insurance effects
While the standard advice to organisations has long been “make good backups and don’t pay”, Meurs’ research reveals much more complex realities. Criminals now routinely target backup systems first, rendering traditional backup strategies insufficient.
“Cyber criminals always try to delete backups because they know if a company can recover with backups, they’re less likely to pay,” he said. “That’s why I emphasise that backups for a cyber incident are fundamentally different from backups designed to protect against ransomware.”
His research found that most companies pay the ransom. “Only about five out of 100 organisations have functional backup recovery capabilities. The other 95% paid, because they genuinely had no viable recovery option,” said Meurs. This finding challenges the effectiveness of proposals to ban ransom payments.
“If payments were banned, these companies would face either paying anyway and potentially facing penalties, or losing their entire IT infrastructure and possibly facing bankruptcy,” said Meurs. “From a societal cost perspective, such a ban would likely cause more harm than good.”
The research also reveals that cyber insurance, while essential for risk management, creates perverse incentives. It found that companies with cyber insurance pay ransoms 2.7 times more frequently, and even 5.5 times more frequently if data was extorted. Meurs said criminals often search for insurance policy documents inside networks to calibrate their demands accordingly.
Initiatives for small businesses
Dutch authorities are working to address the significant blind spot around small business victimisation. One initiative focuses on reducing reporting barriers through online reporting options.
“The police are increasingly focused on broader countermeasures, not just arrests,” noted Meurs. “For example, one ransomware group was compromised in a way that allowed approximately 200 keys to be recovered, which meant victims could regain access to their files without paying. But we could only provide keys to victims who had filed reports.”
This exemplifies the Dutch approach of combining technical expertise with practical assistance to victims – but it depends on victims coming forward.
Ransomware continues to evolve, with Meurs observing several trends. As more companies improve their backup strategies, criminals focus increasingly on data theft as leverage. Additionally, the massive ransomware groups of 100+ criminals working together are fracturing due to internal conflicts.
“I expect that in the short term, many ransomware groups will try to fly under the radar by being smaller,” Meurs predicted. “They’ll still target large companies that pay substantial amounts, but they’ll operate more discreetly.”
For organisations, understanding their IT infrastructure remains crucial. “Companies that experience problems often don’t know their IT infrastructure well,” Meurs observed. “They may have changed IT providers three times and have no idea there’s still a server somewhere abroad running outdated software, which often provides entry points for criminals.”
Combining embedded research, centralised intelligence and diverse intervention strategies, the Dutch approach offers valuable lessons for other countries. As this model matures, Dutch law enforcement continues to refine methods for disrupting the ransomware ecosystem.
While the threat evolves continuously, the message from Dutch cyber crime units is clear: report incidents, as even seemingly small cases contribute to the intelligence picture that enables effective disruption of these criminal networks.
