Semperis Announces Midnight in the War Room: A Groundbreaking Cyberwar Documentary Featuring the World’s Leading Defenders and Reformed Hackers
2025 Ransomware Holiday Risk Report

Ransomware Targets Times of Distraction

Most ransomware attacks occur when organizations reduce staffing or after material corporate events.

Get the reportMore on ransomware
Heather Costa

If you are not thinking about your infrastructure and protecting your infrastructure, which includes identity systems … I don’t know what to say. There’s no other starting point.

Heather Costa Mayo Clinic Director of Technology Resilience

When do most ransomware attacks occur?

As noted in the Semperis 2025 Ransomware Risk Report, this year’s study showed an overall drop in the frequency of ransomware attacks overall. Still, more than half of global study respondents who reported being targeted said that the attack occurred during a weekend or holiday. And even more said that they were attacked after a material corporate event, such as a merger or acquisition.

Get the report
52%
of ransomware attacks occurred on a weekend or holiday
60%
occurred after a material corporate event such as M&A

Corporate material events such as mergers and acquisitions often create distractions and ambiguity in governance and accountability—exactly the environment ransomware groups thrive on.

Chris Inglis First U.S. National Cyber Director, Semperis Strategic Advisor
Many organizations reduce SOC staffing on weekends and holidays

What do SOC leaders need to know?

We are encouraged to see a slight rise in the share of companies that say they staff their SOC at more than half-capacity during weekend and holiday periods. Unfortunately, more than three-quarters still cut SOC staffing by 50% or more at those times … and some do not staff their SOC at all outside of the regular workweek.

78%

of global companies scale back on their after-hours SOC staffing levels by 50% or more

6%

of respondents said their SOC is not staffed at all during holidays or weekends

If you want your employees to be out for the holiday, you need to plan and prepare. You need to have some type of monitoring, even if it’s third-party monitoring with extra diligence over that period. There is no time off.

Jeff Wichman Semperis Director of Incident Response

Can your identity infrastructure stand up to ransomware?

ITDR strategy adoption increased slightly this year, to 90%. Nearly all those who said they have an ITDR plan also said that they have procedures in place to scan for identity system vulnerabilities. However, many organizations lack procedures and plans to remediate vulnerabilities and to recover identity systems after an attack.

Get the report
Only
45%
have procedures to remediate identity vulnerabilities
Only
63%
automate identity system recovery
Only
66%
have an Active Directory recovery plan
Only
55%
have an Entra ID recovery plan

Adversaries are always after the identity system because that’s where they can create the maximum blast radius. Therefore, you must have the ability to recover the identity system quickly and—most critically—with integrity. Without that integrity, organizations often end up restoring the adversary into the environment.

Simon Hodgkinson Former bp CISO, Semperis Strategic Advisor

More resources

Learn more about how to prevent, detect, and respond to identity-based attacks.

Ransomware Risk Report cover

2025 Ransomware Risk Report

  • Aug 14, 2025
  • Reports
Purple Knight Report 2025

Purple Knight Report 2025

  • Reports
The State of Enterprise Cyber Crisis Readiness

The State of Enterprise Cyber Crisis Readiness

  • Apr 24, 2025
  • Reports
The State of Critical Infrastructure Resilience

The State of Critical Infrastructure Resilience

  • Apr 3, 2025
  • Reports
View all