Ransomware attacks peak during holidays & major business events

A recent global study has found that the majority of ransomware attacks are timed to coincide with holidays, weekends, and major corporate events, exploiting periods when organisations have fewer cybersecurity staff on duty.

Attack timing

The study, which surveyed 1,500 IT and security professionals across 10 countries, revealed that 52% of reported ransomware incidents in the past year occurred over weekends or holidays. The trend underscores a persistent threat pattern, with criminal groups targeting organisations when incident response capabilities are likely to be diminished.

Data from the report indicates that 78% of organisations reduce their security operation centre (SOC) staffing by at least half during these higher risk periods, while 6% reported having no SOC coverage outside regular business hours. In addition to weekends and public holidays, attackers also focus on periods of business transformation or uncertainty such as major mergers, acquisitions, initial public offerings (IPOs) and rounds of layoffs. The research found that 60% of ransomware attacks happened following such material corporate events, with more than half of these incidents occurring after a merger or acquisition.

Staffing decisions

The motivations for reducing security coverage during vulnerable periods are complex. The study reported that 62% of organisations cited a desire to uphold work/life balance for cybersecurity staff, while 47% reduce staffing due to business closures and 29% believe the risk of attack is lower during these times.

"Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks. Vigilance during these times is more critical than ever because the persistence and patience attackers have can lead to long lasting business disruptions," said Chris Inglis, Strategic Advisor, Semperis.

The study cited specific examples where attackers struck during periods of low staffing. In one case, the Jaguar Land Rover cyberattack began on a Sunday as a new batch of vehicle registration plates was set for release the following Monday. In another case, Collins Aerospace suffered an attack on a Friday evening, causing disruptions at several airports including London Heathrow.

Identity security plans

The survey also examined approaches to identity threat detection and response (ITDR). Ninety percent of respondents said they had ITDR plans to detect vulnerabilities in identity systems, which are often a target in ransomware campaigns. However, only 45% included remediation procedures in their plans, and just 63% reported automating the recovery of these systems.

Industry implications

The findings suggest that cybercriminal groups are adept at tracking corporate news and public timetables, timing their activity for when security controls may be weakest or most prone to human error. Sectors examined in the study included financial services, manufacturing, legal, healthcare and critical infrastructure, highlighting the broad exposure of industries to this risk.

The data, drawn in part from events at large organisations and global brands, reinforce warnings from industry analysts and government agencies about the need for around-the-clock security coverage and stronger incident response preparedness during known periods of organisational disruption.

"In addition, corporate material events such as mergers and acquisitions often create distractions and ambiguity in governance and accountability-exactly the environment ransomware groups thrive on," said Inglis.