Cybercriminals Exploit Weekend Lull to Launch Ransomware Attacks

Ransomware gangs are increasingly targeting weekends and holidays, when cybersecurity teams are typically less staffed, according to a new report from Semperis.

The cybersecurity firm said that 86% of study participants who experienced a ransomware attack were targeted on a weekend or holiday, when staffing is most likely to be reduced.

Even though 96% of surveyed organizations maintained a security operations center (SOC) 24/7, 85% reduced SOC staffing by as much as 50% on holidays and weekends.

The findings are part of Semperis’ 2024 Ransomware Holiday Risk Report published on November 20, 2024.

Speaking to Infosecurity about the findings, Dan Lattimer, Area VP EMEA West at Semperis noted that the running of a full SOC is very expensive.

“You might have just three or four people. Straight away that’s not 24/7. If you haven’t got a budget or you don’t have enough people in place, there’s no way you can start seven days a week,” he noted.

Some organizations may not run SOCs over the weekends because fewer employees are online, therefore the perceived risk – i.e. clicking of phishing links – is lower.

Other reasons for less monitoring over weekends include the business not having been targeted in the past and not believing their organization would be a target for hackers.

Attackers Exploit Holiday Periods to Get Paid

Unfortunately, ransomware attackers know this and take it as an opportunity to target companies at times when there is no one there to quickly respond to the problem.

“If I’m a gang trying to make money, I’m going to try and find a way of doing that at a point of time that gives me the highest chance that you’re going to pay me. By trying to choose a time, like a weekend or a holiday, you’re going to have less defenses,” Lattimer said.

This gives attackers more time to explore the network undetected and potentially encrypt and steal sensitive data.

Semperis found that 78% of global respondents from finance and 75% from manufacturing and utilities confirmed ransomware incidents on holidays or weekends.

Other trends highlighted by the Semperis report included 63% of respondents experiencing a ransomware attack following a material corporate event like mergers, acquisitions and workforce restructuring.

Identity Defenses Falling Short

Finally, organizations seem to overestimate their identity defenses. Semperis found that 81% of respondents believe they have the necessary expertise to protect against identity-related attacks, yet 83% suffered a successful ransomware attack within the past 12 months.

The firm, which focuses on Active Directory (AD) security, also said that 40% of companies do not have, or are uncertain that they have, sufficient budget to defend core identity systems such as Active Directory.

Without sufficient budget to address identity system defense, many organizations are missing key parts of an effective Identity threat detection and response strategy, the report said.

The 2024 Ransomware Holiday Risk Report brings together global data from its study of 900 IT and security leaders across US, UK, France and Germany.