2024 Ransomware Holiday Risk Report

86% of Ransomware Victims Targeted on a Weekend or Holiday

A global study of 900 IT and security professionals reveals that ransomware attackers often strike when defenses are weakest. 86% of study participants who experienced a ransomware attack in the past 12 months were targeted on a weekend or holiday, when staffing is most likely to be reduced. The study also shows that organizations typically reduced security staffing during the most likely times of attack.

Threat actors … are calculated and persistent in their attack methods. Security awareness and functionality don’t wax and wane. If anything, organizations should increase their security persistence on holidays and weekends, knowing that threat actors aren’t taking time off.

Chris Inglis Semperis Strategic Advisor & first US National Cyber Director

Striking gap in ransomware defenses

Despite widespread cybersecurity efforts, many organizations are unintentionally opening a door to ransomware by reducing their defenses during weekends and holidays. Attackers clearly expect this behavior and target these periods — as well as other material corporate events that might signal distracted or reduced defenses — to strike.

Organizations that aim to strengthen their cyber defenses can use this information to their advantage. Implementing robust, automated protection and recovery solutions for the identity infrastructure can help to foil ransomware attempts, even during times of corporate upheaval or when human resources are scarce.

Get the report
86%
of ransomware victims were targeted on a weekend or holiday
85%
of organizations that maintain a SOC reduce staffing on holidays and weekends
63%
of surveyed organizations were attacked during a major corporate event
40%
of respondents reported having no ransomware recovery budget or uncertainty about that budget
Mickey Bresman, Semperis CEO

24/7/365 coverage is a necessity, as are automated identity playbooks that serve to reduce risk and improve operational resilience.

Mickey Bresman Semperis CEO

Attackers strike when SOC staffing is reduced

Most of the organizations included in our study (96%) said their SOC operates 24/7/365, through some combination of internal and external resources. Even so, the majority of global companies (85%) scale back on their after-hours SOC staffing levels by up to 50%. And alarmingly, nearly 5% of respondents indicated that their SOC is not staffed at all during holidays or weekends.

85%

of global companies scale back on their after-hours SOC staffing levels by up to 50%

5%

of respondents said their SOC is not staffed at all during holidays or weekends

When fewer people are in the office, there’s less demand for that help-desk role, and internal risks are lower. So, it’s understandable that companies with a hybrid SOC — one that fulfills both cybersecurity and help desk roles — might ask, ‘Why do I need to have so many people here?’

Guido Grillenmeier Semperis Principal Technologist (EMEA)

Attacks occur during times of corporate distraction

Times of corporate upheaval — whether a merger, acquisition, IPO, or reduction in workforce — are also magnets for ransomware attackers. Semperis’ survey data show that a majority (63%) of respondents also experienced a ransomware attack following a material corporate event. Not only do these situations create the distractions that bad actors love to exploit, but attackers can often extract large ransoms from companies desperate to regain access to critical systems or prove operational competence ahead of a major transaction. In addition, such events create inherent identity security challenges.

Cyberattacks, including ransomware, often happen in the cracks — during mergers, acquisitions, layoffs, and in the seams of supplier-vendor relationships. … To combat never-ending ransomware attacks, organizations should focus on building resilience into their networks.

Kemba Walden Paladin Global Institute President & former Acting US National Cyber Director

If you’re big enough to have a SOC, it should be staffed at all times — and not by a skeleton crew. It should be at least 75% staffed, and SOC teams should have effective automated threat detection and response in place as well.

Jeff Wichman Semperis Director of Incident Response

Threat actors want to make as much money as possible with the least hassle. They look for distractions and events that give them more leverage, and they try to catch organizations unprepared.

Sean Deuby Semperis Principal Technologist (North America)

It is human nature for services not to be as strong on the weekends, as many [organizations maintain] the mindset of the work week…. And when staffing levels decrease, naturally the fallout could be systems that are more vulnerable to breach.

Ciaran Martin CB, Managing Director at Paladin Capital Group and founding Chief Executive of the UK’s National Cyber Security Centre