More than half (52%) of organizations that experienced ransomware attacks in the past year reported that the incident occurred on a weekend or holiday.
The data comes from the new Semperis 2025 Ransomware Holiday Risk Report, which surveyed 1,500 IT and security professionals across multiple industries worldwide. The research also found that 60% of attacks struck after a major corporate event such as a merger, acquisition, or layoffs, highlighting how disruption remained a prime opportunity for attackers.
“Corporate material events such as mergers and acquisitions often create distractions and ambiguity in governance and accountability—exactly the environment ransomware groups thrive on,” Chris Inglis, former US National Cyber Director noted. He added that organizations under operational pressure during transitions were more likely to pay quickly to restore services.
SOC Gaps and Identity Weaknesses Persisted
The report also showed that 76% of surveyed organizations operated an in-house SOC, yet weekend and holiday coverage remained inconsistent. Seventy-eight percent reduced SOC staffing by at least half during those periods, and six percent had no off-hours coverage at all. The top reason, cited by 62%, was preserving work/life balance.
Identity-related risks also stood out. While 90% of respondents said they scanned for identity vulnerabilities as part of an identity threat detection and response strategy, only 45% had formal remediation procedures.
Automated recovery lagged as well, with just 63% enabling automated restoration for platforms such as Active Directory, Entra ID, or Okta. Disaster recovery plans included identity systems inconsistently: 66% for Active Directory, 55% for Entra ID, and 42% for Okta.
These shortfalls raised concerns about resilience. “Recovery—the ability to restore your identity platform at speed—is the most critical capability for operational resilience,” said Simon Hodgkinson, former bp CISO and Semperis Strategic Advisor.
The research recommended that leaders strengthen preparedness by:
- Prioritizing identity security during mergers, acquisitions, or other structural changes
- Maintaining minimum Security Operations Center (SOC) coverage during holidays and weekends
- Automating identity system recovery to prevent reinfection or persistence
- Integrating identity platforms into crisis response and disaster recovery planning
For more information about these trends, Semperis’ latest report is available here.
