Semperis recently unveiled results from a global ransomware study underscoring that the majority of ransomware attacks continue to occur on holidays and weekends, when cybersecurity staffing is reduced. In addition, the study shows ransomware groups also intensify their attacks during corporate material business events, including mergers, acquisitions, IPOs, and layoffs, to exploit organizational disruption and reduced security focus. A reported 60 percent of attacks occurred following an IPO, merger or acquisition, or round of layoffs.
“Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks. Vigilance during these times is more critical than ever because the persistence and patience attackers have can lead to long lasting business disruptions,” said Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor.
The report, titled 2025 Ransomware Holiday Risk Report, found that 52 percent of surveyed organizations were targeted on holidays or weekends. Alarmingly, 78 percent of companies cut security operation center (SOC) staffing by 50 percent or more during holidays and weekends, while six percent cut their SOC staffing entirely during these same times.
Additional findings include:
- 29 percent stated that SOC staffing reductions on holidays and weekends stemmed from not thinking they would be attacked.
- Identity threat detection and response (ITDR) plans are gaining traction, with 90 percent reporting that their plans detect identity system vulnerabilities.
- Unfortunately, only 45 percent of plans include remediation procedures, and only 63 percent automate identity system recovery.
The full ransomware study, which includes breakdowns of responses by vertical market and by country, is available here.
