Ransomware attacks still strike most often on holidays and weekends, when cybersecurity teams are thinly staffed, according to a new global study.
The report, released by Semperis — a leading provider of AI-powered identity security and cyber resilience services, also finds that attackers ramp up activity during major corporate events such as mergers, acquisitions, IPOs and layoffs, exploiting organizational disruption and reduced security focus.
“Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks,” said Chris Inglis, the first U.S. national cyber director and Semperis strategic advisor. “Vigilance during these times is more critical than ever because attackers’ persistence and patience can lead to long-lasting business disruptions. In addition, corporate material events often create distractions and uncertainty in governance and accountability — exactly the environment ransomware groups thrive on.”
The 2025 Holiday Ransomware Risk Report found that 52% of surveyed organizations in the United States, the United Kingdom, France, Germany, Italy, Spain, Singapore, Canada, Australia and New Zealand were targeted on holidays or weekends. The report also found that 78% of companies reduce security operations center staff by 50% or more during these periods, while 6% eliminate SOC staffing entirely. Sixty percent of attacks occurred after a corporate material event such as an IPO, merger, acquisition or round of layoffs.
Key findings
Reduced SOC staffing leaves organizations exposed: Many companies scale back security operations center staffing during holidays and weekends. Sixty-two percent said the reductions were meant to support employee work-life balance, 47% said their business is closed during those periods and 29% believed they were unlikely to be targeted at those times.
Ransomware groups exploit major corporate events: Sixty percent of organizations that experienced an attack said it occurred after a significant corporate event. Among those, 54% were targeted following a merger or acquisition, underscoring how operational disruption creates opportunity for attackers.
ITDR programs focus on detection but fall short on response: Identity threat detection and response strategies are becoming more common, with 90% of respondents reporting that their plans can identify vulnerabilities in identity systems. Still, only 45% include remediation procedures, and just 63% incorporate automated identity system recovery — leaving gaps in organizations’ ability to respond once an attack begins.
The full report, including breakdowns by industry and country, is available on Semperis’ website.
Semperis protects critical enterprise identity systems for security teams defending hybrid and multi-cloud environments. Built to secure identity platforms such as Active Directory, Entra ID and Okta, Semperis’ AI-powered technology protects more than 100 million identities from cyberattacks, data breaches and operational errors.