Weekend: A Golden Opportunity for Ransomware Attacks

A new report from Semperis shows that weekends and holidays have become prime windows for ransomware operations. More than half of the organizations hit by ransomware in the past year were attacked precisely during these low-activity periods times typically marked by limited staff, slower response rates and minimal monitoring of identity systems. Hackers exploit this gap, slipping deeper into networks before alarms are triggered.

Ransomware Risk During Organizational Transitions

According to the report, 60% of attacks occur after events such as mergers, acquisitions or internal restructuring—especially during M&A phases where identity systems undergo integration. These transitions create inconsistencies and vulnerabilities that attackers skillfully detect and exploit.

While the intensity of attacks varies across regions, the overall pattern remains constant:
Hackers strike when organizations look away from their critical infrastructure.

SOC Staff Reduction: An Open Door for Attackers

Although three-quarters of organizations have an internal SOC, 78% reduce staffing on weekends, and 6% leave their SOC completely unstaffed. These cuts stem from work–life balance policies, non-working days or the mistaken belief that attacks are less likely during holidays.
Experts warn that the long-held assumption—“attacks are less likely during downtime”—is no longer valid.

Chris Inglis, the first U.S. National Cyber Director, explains:
“Threat actors take full advantage of reduced cybersecurity staff during holidays. A lapse in vigilance during these hours can inflict the most damage on a business.”

Strong Detection, Weak Remediation

While 90% of companies have identity threat-detection programs and conduct vulnerability scans, only 45% take steps to fix the discovered issues.
This gap provides exactly the opportunity ransomware operators need—a single open pathway.

The pattern continues in recovery measures: Many organizations include Active Directory recovery in their crisis plan, yet remain unprepared for cloud-identity restoration. Although 63% have automated their recovery processes, teams relying on manual methods face extended downtime and slower service restoration.

Identity Challenges in Mergers: A Hidden Threat

During mergers, organizations typically focus on financial and structural alignment, leaving identity management for later stages. This delay leads to old accounts, unclear access paths and weak controls appearing during domain integration.
Experts emphasize that identity security should be part of due diligence, not an afterthought.

AI: A Support Tool for SOC, Not a Replacement

Companies are exploring AI-driven tools to reduce pressure on SOC analysts. While these tools help with prioritization and correlation, they cannot fully compensate for reduced human staffing during high-risk periods.

Meanwhile, AI systems create new machine identities that also require protection—introducing additional attack surfaces.