Semperis’ 2025 study finds most ransomware attacks hit on holidays and during corporate shakeups, as reduced SOC staffing leaves organizations dangerously exposed.
Ransomware attacks are overwhelmingly concentrated during holidays, weekends, and periods of corporate disruption, according to a new global study released by Semperis, a provider of identity security and cyber resilience tools. The findings underscore a critical and persistent vulnerability: attackers exploit predictable dips in cybersecurity staffing and organizational focus.
The report, titled the 2025 Holiday Ransomware Risk Report, surveyed organizations across ten countries and found that 52% of all reported ransomware incidents occurred on a holiday or weekend. This trend is directly linked to staffing decisions, as an alarming 78% of companies cut security operation center (SOC) staffing by 50% or more during these periods, with 6% eliminating coverage.
Exploiting Downtime and Distraction
Beyond scheduled days off, the study found that threat actors are highly attuned to corporate news, targeting organizations during major material business events to leverage maximum chaos and disruption.
60% of ransomware attacks occurred following a major corporate event, such as an Initial Public Offering (IPO), a merger or acquisition, or rounds of layoffs. Of those attacks, 54% followed a merger or acquisition, capitalizing on the ambiguity in governance and the distraction of integrating systems.
“Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks,” said Chris Inglis, the first U.S. National Cyber Director and a Strategic Advisor for Semperis. He added that corporate events “often create distractions and ambiguity in governance and accountability—exactly the environment ransomware groups thrive on.”
Also Read: Edition 3: Tech Leaders Turning Complexity into Clarity
The Response-and-Recovery Gap
The report also highlighted a significant disparity in corporate preparedness, particularly in the critical area of identity threat detection and response (ITDR).
While 90% of surveyed respondents reported having ITDR plans designed to detect identity system vulnerabilities—a frequent target for ransomware groups—far fewer are equipped for the actual recovery.
Only 45% of plans include specific remediation procedures, and just 63% automate the recovery of compromised identity systems. This indicates that while organizations are improving their ability to identify threats, many are still lagging severely in their ability to rapidly contain and recover from a successful attack, thereby prolonging business disruption.
