Semperis has warned organisations to brace for heightened ransomware activity during holidays, weekends, and major business events, when cyber defences are often weakened.
The Hoboken-based identity security company’s 2025 Holiday Ransomware Risk Report reveals that 52% of surveyed organisations were targeted on holidays or weekends, with 78% reducing security operations centre (SOC) staffing by half or more during these periods. Six percent reported cutting SOC staffing entirely.
“Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks,” said Chris Inglis, former U.S. National Cyber Director and now Strategic Advisor at Semperis. “Vigilance during these times is more critical than ever because the persistence and patience attackers have can lead to long-lasting business disruptions.”
The report found that cybercriminals also exploit moments of organisational distraction, with 60% of ransomware attacks occurring after material corporate events such as mergers, acquisitions, IPOs, or layoffs. Over half of these post-event attacks — 54% — followed a merger or acquisition.
Corporate motives for reducing SOC coverage vary: 62% cited the need to preserve work-life balance, 47% said their business closes on holidays and weekends, and 29% assumed they would not be targeted during those times.
Identity threat detection and response (ITDR) plans are gaining traction, with 90% of organisations now detecting vulnerabilities in identity systems. However, fewer than half (45%) include remediation procedures, and only 63% automate recovery.
The findings underline the growing need for round-the-clock vigilance. Inglis added that material corporate events “often create distractions and ambiguity in governance and accountability — exactly the environment ransomware groups thrive on.”
The full report, which includes sector and country-level analysis, is available via Semperis: semperis.com/ransomware-holiday-risk-report.
