Semperis, a provider of AI-powered identity security and cyber resilience, has released results from a global ransomware study underscoring that the majority of ransomware attacks continue to occur on holidays and weekends, when cybersecurity staffing is reduced.
In addition, the study shows ransomware groups also intensify their attacks during corporate material business events, including mergers, acquisitions, IPOs, and layoffs, to exploit organizational disruption and reduced security focus.
The report, titled 2025 Holiday Ransomware Risk Report, found that 52% of surveyed organizations in the U.S., UK, France, Germany, Italy, Spain, Singapore, Canada, Australia and New Zealand were targeted on holidays or weekends.
Alarmingly, 78% of companies cut security operation center (SOC) staffing by 50% or more, during holidays and weekends, while 6% cut their SOC staffing entirely during these same times. 60% of attacks occurred following an IPO, merger or acquisition, or round of layoffs.
“Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks. Vigilance during these times is more critical than ever because the persistence and patience attackers have can lead to long lasting business disruptions,” said Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor. “In addition, corporate material events such as mergers and acquisitions often create distractions and ambiguity in governance and accountability—exactly the environment ransomware groups thrive on.”
Key Ransomware Report Findings
Reasons for reducing SOC staffing on holidays and weekends.
62% of organizations want to provide employees with work/life balance, 47% reported their business is closed on holidays and weekends and 29% did not think they would be attacked.
Ransomware gangs will attack during corporate material events.
60% of ransomware attacks took place after a material corporate event and of those attacked after such an event, 54% of companies reported being targeted following a merger or acquisition.
ITDR plans prioritize detection over response and recovery.
Identity threat detection and response (ITDR) plans gain traction, with 90% of respondents reporting that their plans detect identity system vulnerabilities. However, only 45% of plans include remediation procedures, and only 63% automate identity system recovery.
