Executive Summary

A new global study by cybersecurity firm Semperis has confirmed a long-held belief in the security community: ransomware attackers strategically time their attacks for holidays and weekends. The "2025 Holiday Ransomware Risk Report" found that 52% of organizations were targeted during these periods, precisely when security oversight is at its lowest. The report reveals that 78% of companies reduce their Security Operation Center (SOC) staff by 50% or more during these times. This data provides quantitative evidence that threat actors are systematically exploiting predictable gaps in human-led security operations to maximize their chances of success.

Report Details

The study, which surveyed organizations across the U.S., Europe, and Asia-Pacific, highlights several critical findings for security leaders:

• Off-Hours Attacks are the Norm: Over half (52%) of all ransomware attacks occurred on a holiday or weekend.
• SOC Staffing is Drastically Reduced: An alarming 78% of companies cut their SOC staffing by at least half during these periods, with 6% cutting SOC staff entirely. The primary reason cited was improving employee work-life balance.
• Exploiting Corporate Disruption: Threat actors also capitalize on organizational chaos. 60% of ransomware attacks occurred in the wake of a material business event, such as a merger and acquisition (M&A), Initial Public Offering (IPO), or a major round of layoffs.

As former U.S. National Cyber Director Chris Inglis noted, attackers' "persistence and patience" during these vulnerable times can lead to severe and long-lasting business disruptions.

Impact Assessment

The report's findings have significant implications for security operations and business continuity planning. The clear trend of attacking during off-hours demonstrates that ransomware groups are not opportunistic but are methodical planners who conduct reconnaissance and choose their moment to strike. The practice of reducing security staff during these periods, while understandable from a human resources perspective, creates a predictable window of vulnerability that attackers are clearly exploiting. This results in slower detection times, delayed response, and ultimately, more damage and higher recovery costs from ransomware incidents.

Lessons Learned

1. Predictable Vulnerability: Reducing security staff on holidays and weekends is a predictable pattern that has been weaponized by adversaries.
2. Attackers Follow Business News: Ransomware groups monitor corporate developments and target organizations during periods of internal turmoil (M&A, layoffs) when security focus may be diluted and processes are in flux.
3. Vigilance is a 24/7/365 Requirement: A 9-to-5, weekday-only security posture is no longer viable against persistent ransomware threats.

Mitigation Recommendations

Strategic:

1. Re-evaluate SOC Staffing Models: Organizations must find a way to maintain adequate security monitoring and response capabilities around the clock. This could involve