Semperis Study: 52% of Firms Hit by Ransomware on Holidays or Weekends as SOC Staffing is Halved

Ransomware Attacks Peak on Holidays and Weekends, Exploiting Low Staffing

INFORMATIONAL
November 24, 2025
3m read
Security OperationsRansomwareIncident Response

Related Entities

Organizations

Semperis

Other

Chris Inglis

Full Report

Executive Summary

A new global study by cybersecurity firm Semperis has confirmed a long-held belief in the security community: ransomware attackers strategically time their attacks for holidays and weekends. The "2025 Holiday Ransomware Risk Report" found that 52% of organizations were targeted during these periods, precisely when security oversight is at its lowest. The report reveals that 78% of companies reduce their Security Operation Center (SOC) staff by 50% or more during these times. This data provides quantitative evidence that threat actors are systematically exploiting predictable gaps in human-led security operations to maximize their chances of success.

Report Details

The study, which surveyed organizations across the U.S., Europe, and Asia-Pacific, highlights several critical findings for security leaders:

  • Off-Hours Attacks are the Norm: Over half (52%) of all ransomware attacks occurred on a holiday or weekend.
  • SOC Staffing is Drastically Reduced: An alarming 78% of companies cut their SOC staffing by at least half during these periods, with 6% cutting SOC staff entirely. The primary reason cited was improving employee work-life balance.
  • Exploiting Corporate Disruption: Threat actors also capitalize on organizational chaos. 60% of ransomware attacks occurred in the wake of a material business event, such as a merger and acquisition (M&A), Initial Public Offering (IPO), or a major round of layoffs.

As former U.S. National Cyber Director Chris Inglis noted, attackers' "persistence and patience" during these vulnerable times can lead to severe and long-lasting business disruptions.

Impact Assessment

The report's findings have significant implications for security operations and business continuity planning. The clear trend of attacking during off-hours demonstrates that ransomware groups are not opportunistic but are methodical planners who conduct reconnaissance and choose their moment to strike. The practice of reducing security staff during these periods, while understandable from a human resources perspective, creates a predictable window of vulnerability that attackers are clearly exploiting. This results in slower detection times, delayed response, and ultimately, more damage and higher recovery costs from ransomware incidents.

Lessons Learned

  1. Predictable Vulnerability: Reducing security staff on holidays and weekends is a predictable pattern that has been weaponized by adversaries.
  2. Attackers Follow Business News: Ransomware groups monitor corporate developments and target organizations during periods of internal turmoil (M&A, layoffs) when security focus may be diluted and processes are in flux.
  3. Vigilance is a 24/7/365 Requirement: A 9-to-5, weekday-only security posture is no longer viable against persistent ransomware threats.

Mitigation Recommendations

Strategic:

  1. Re-evaluate SOC Staffing Models: Organizations must find a way to maintain adequate security monitoring and response capabilities around the clock. This could involve

Timeline of Events

1
November 24, 2025
This article was published

Sources & References

NEW Semperis Study Reveals that the Majority of Ransomware Attacks Continue to Occur During Holidays and Weekends
PR Newswire (prnewswire.com) November 24, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

RansomwareSecurity OperationsSOCIncident ResponseSemperisCybersecurity ReportHoliday Security

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.