More ransomware attacks exploit weekends and organisational changes amid reduced staffing, warns Semperis

A recent Semperis report reveals that over half of ransomware incidents occur during weekends or holidays, with many attacks targeting organisations during internal changes when security teams are understaffed, exposing critical vulnerabilities and emphasising the need for proactive identity management and vigilant staffing practices.

Over half of organisations that experienced ransomware incidents in the past year were attacked during weekends or holidays, according to a recent report from Semperis. This timing exploits periods when security teams are often understaffed, investigations slow, and fewer personnel monitor identity systems, allowing attackers to move undetected deeper into networks. The report reveals that 52% of ransomware events occurred during these off-hours, underscoring a critical vulnerability tied to reduced vigilance.

The risks compound during corporate transitions. Sixty percent of ransomware incidents happened following mergers, acquisitions, restructuring, or similar significant internal changes, with M&A activities being the most common trigger. Such events often lead to consolidation of identity environments, creating inconsistencies such as stale accounts, weak controls, and ambiguous access paths. These gaps are rapidly exploited by threat actors who capitalise on the organisational distractions and the complexity of integrating identity systems.

Many organisations operate in-house Security Operations Centers (SOCs) that are crucial for ransomware defence. However, the Semperis study found that 78% of organisations reduce SOC staffing by at least half during weekends and holidays, and 6% completely vacate their SOCs during these periods. The primary reasons for these staffing reductions include supporting employees’ work-life balance and aligning coverage with business hours, as some companies are closed outside of the traditional workweek. A smaller, yet notable group still assumes attacks are less likely during off-hours, although this belief is waning as cyber threats continue to evolve.

Chris Inglis, the first U.S. National Cyber Director and Strategic Advisor to Semperis, emphasised the danger: “Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks. Vigilance during these times is more critical than ever because the persistence and patience attackers have can lead to long lasting business disruptions.” This highlights the urgent need for organisations to rethink staffing models and threat monitoring during periods traditionally considered low risk.

Despite strong detection capabilities, with 90% of surveyed organisations implementing identity threat detection and response strategies, there is a significant gap in remediation. Only 45% have procedures to fix vulnerabilities once identified, leaving exploitable pathways open to attackers. Recovery practices also show inconsistencies; while two-thirds include Active Directory recovery in disaster planning, fewer extend this to cloud identity systems. About 63% automate identity recovery processes, which is essential because manual rebuilds can significantly prolong operational downtime after an attack.

The report underscores the importance of early and thorough identity planning, especially during mergers and acquisitions. Often, identity design is treated as a secondary concern focused on cost alignment, rather than a primary security consideration. By integrating identity risk assessments into due diligence phases, organisations could reduce exposure to identity-related vulnerabilities before they become embedded in the combined environment.

To alleviate pressures on SOC teams and improve response, some organisations are exploring AI-driven tools to assist with alert triage and correlation. However, Semperis cautions that these technologies cannot fully replace human staffing during high-risk periods, as AI also introduces new challenges, including the need to secure machine identities.

Ultimately, the Semperis report calls for heightened vigilance, better resource allocation during off-hours, and proactive identity management as essential measures to mitigate ransomware risks that exploit known staffing and organisational weaknesses.

📌 Reference Map:

• ^[1] (Help Net Security) – Paragraphs 1, 2, 3, 4, 5, 6, 7, 8, 9
• ^[2] (Help Net Security) – Paragraphs 1, 3
• ^[3] (PR Newswire) – Paragraphs 1, 2, 3
• ^[4] (Industrial Cyber) – Paragraph 1, 3
• ^[5] (HIPAA Journal) – Paragraphs 1, 3
• ^[6] (Red Education) – Paragraphs 1, 3
• ^[7] (TechTarget) – Paragraph 1, 3

Source: Fuse Wire