Ransomware risk spikes on holidays and material events

At a glance

What this is: This is a ransomware risk study showing that attacks concentrate during holidays, weekends, and material corporate events when staffing and governance are weakest.

Why it matters: It matters because identity, SOC, and recovery teams need controls that still hold when people are away, decisions slow down, and business change introduces accountability gaps.

By the numbers:

• 52% of surveyed organizations in the U.S., UK, France, Germany, Italy, Spain, Singapore, Canada, Australia and New Zealand were targeted on holidays or weekends.
• 78% of companies cut security operation center (SOC) staffing by 50% or more during holidays and weekends.
• 60% of attacks occurred following an IPO, merger or acquisition, or round of layoffs.
• Only 45% of ITDR plans include remediation procedures.

👉 Read Semperis' ransomware holiday risk report

Context

Ransomware risk is not evenly distributed across the calendar. It rises when operational attention drops, incident response coverage thins, and business change creates uncertainty about who owns what. For identity and security teams, that means the real control problem is not only prevention. It is whether the programme still works when staff are reduced and governance is under stress.

Material corporate events such as mergers, acquisitions, IPOs, and layoffs create a second failure mode. Access decisions slow down, ownership becomes unclear, and attackers exploit the gap between organisational change and security control continuity. That makes holiday periods and business transitions a compound risk for ransomware, identity operations, and recovery readiness.

Key questions

Q: How should security teams prepare for ransomware during holidays and weekends?

A: Teams should treat holidays and weekends as predictable high-risk periods and keep escalation, identity monitoring, and recovery authority active. The main failure is assuming attacks will pause when staffing drops. Pre-stage response roles, verify privileged access coverage, and make sure recovery steps do not depend on full-team availability.

Q: Why do mergers, acquisitions, and layoffs increase ransomware risk?

A: These events create ownership confusion, delayed access cleanup, and temporary permissions that outlive their purpose. Ransomware operators exploit that ambiguity because identity governance slows while the organisation is changing. The risk is highest where privileged accounts, third-party access, and recovery authority are not explicitly reassigned.

Q: What breaks when ITDR detects problems but cannot recover identity services quickly?

A: Detection alone does not stop ransomware if teams still need manual coordination to restore trusted access and rotate credentials. The breakdown is operational: alerts arrive, but restoration stalls. Organisations need recovery procedures that work under reduced staffing and can restore identity services before disruption spreads.

Q: Who is accountable when ransomware hits during a major business event?

A: Accountability should sit with the owners of privileged access, identity recovery, and business change governance, not with the SOC alone. During mergers, acquisitions, or layoffs, response depends on clear authority over access decisions and system restoration. If that authority is unclear, containment slows and the blast radius grows.

Technical breakdown

Why ransomware groups time attacks to staffing gaps

Ransomware operators do not need a novel exploit if they can wait for weak coverage. Reduced SOC staffing extends dwell time, slows triage, and increases the chance that compromised accounts or systems remain usable long enough for encryption, exfiltration, or lateral movement. The attack is operationally timed, not just technically enabled. In identity-heavy environments, this often means credentials, remote access, and recovery workflows are left under-monitored during the exact periods when attackers expect less resistance.

Practical implication: maintain 24 by 7 monitoring and escalation coverage for identity and recovery paths during holiday and weekend periods.

How corporate events disrupt identity governance

Mergers, acquisitions, IPOs, and layoffs introduce ownership churn across accounts, privileged access, and recovery responsibilities. During these periods, teams often delay access reviews, pause cleanup work, or leave temporary permissions in place because the organisation is changing faster than governance processes can keep up. That creates a window where standing access, shared admin paths, and unrevoked third-party credentials become easier to abuse. Ransomware crews prefer these moments because ambiguity lowers the chance of rapid containment.

Practical implication: freeze no critical access reviews during business events, and assign explicit ownership for privileged accounts before the change window opens.

Why detection is not enough without recovery procedures

The report shows many ITDR programmes can detect identity vulnerabilities, but fewer can remediate and recover automatically. That gap matters because ransomware response is a race against business disruption, not a simple alerting problem. If recovery steps depend on manual coordination, teams lose valuable time restoring trusted identity services, rotating credentials, and rebuilding access paths. Detection without recovery becomes a visibility layer that cannot stop operational loss.

Practical implication: test identity recovery runbooks for speed, automation, and authority to act without waiting for perfect staffing.

Threat narrative

Attacker objective: The attacker aims to maximise business disruption by striking when detection, escalation, and recovery are least likely to be coordinated quickly.

1. Entry typically begins when reduced staffing and distraction leave identity systems, remote access paths, or privileged credentials less closely watched during holidays, weekends, or major corporate events.
2. Escalation follows when attackers exploit that delay to expand access, move through identity infrastructure, or keep compromised accounts active long enough to prepare ransomware deployment.
3. Impact is achieved when ransomware encrypts systems, disrupts recovery, and uses business uncertainty to slow coordinated containment and restoration.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Holiday timing is a governance problem, not just a staffing problem. The report shows ransomware groups deliberately choose periods when people, approvals, and escalation paths are thinnest. That means the control failure is structural: identity and incident workflows assume normal staffing levels, but attackers operate against the exception case. Practitioners should treat holidays and weekends as predictable high-risk operating states, not calendar noise.

Material business events create access ambiguity that ransomware actors can exploit. Mergers, acquisitions, IPOs, and layoffs disrupt ownership of privileged accounts, third-party access, and recovery authority. In practice, the attack surface expands because governance decisions are deferred while the organisation is in motion. The implication is clear: if access ownership is unclear during change, ransomware has more room to persist and spread.

ITDR is only as strong as its remediation and recovery path. The study shows detection is common, but automated recovery is much less mature. That leaves a familiar gap in identity resilience: teams can see the problem, but still need manual coordination to restore trust. Practitioners should measure whether identity recovery can be executed under reduced staffing, not only whether an alert fires.

Identity resilience must be designed for business turbulence, not steady state. Holiday staffing cuts and corporate events expose the same assumption, that security operations can always react quickly enough. The organisations that fare better are the ones that pre-stage recovery decisions, authority, and runbooks before the disruption begins. For identity teams, resilience is a calendar-aware operating model, not a quarterly project.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• From our research: Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• Read 52 NHI Breaches Analysis for breach patterns that show why delayed revocation turns a staffing gap into a lasting compromise.

What this signals

Holiday-aware identity operations: The practical lesson is that access governance must be built for reduced staffing, not ideal staffing. When response windows widen, the first thing to fail is usually not detection but the speed of authority transfer, credential revocation, and recovery execution. Teams that pre-assign authority for holidays and corporate change windows reduce the chance that ransomware can exploit organisational hesitation.

Semperis' data shows that 78% of companies cut SOC staffing by 50% or more during holidays and weekends. That staffing pattern does not just slow security operations, it changes the attacker’s economics, because the same intrusion now has a longer window to spread before a decisive response is possible.

For identity programmes, the next step is to connect change management, privileged access, and recovery planning in one operating model. The best signal of maturity is not whether a control exists on paper, but whether it still works when the business is distracted and the security team is half-sized.

For practitioners

• Keep identity response coverage on during low-staff periods Retain named escalation coverage for privileged access, account lockout, and recovery decisions on holidays and weekends. Do not rely on the assumption that fewer people means fewer attacks.
• Pre-stage ownership for corporate change windows Assign accountable owners for privileged accounts, partner access, and recovery authority before mergers, acquisitions, IPOs, or layoffs begin. Remove ambiguity before the business event creates it.
• Test recovery procedures under constrained staffing Run tabletops and technical recovery drills that assume reduced SOC capacity, delayed approvals, and limited executive availability. Verify that identity restoration can proceed without waiting for full staffing.
• Review dormant and temporary privileged access before the holiday period Validate which temporary accounts, emergency credentials, and third-party entitlements will still be active when the organisation is least available. Remove anything that does not need to survive the downtime.

Key takeaways

• Ransomware risk rises sharply when staffing falls and governance becomes slower to act than the attacker.
• The report shows a material concentration of attacks during holidays, weekends, and corporate change events, with remediation and recovery often lagging behind detection.
• Teams should harden identity recovery, ownership, and escalation paths before the calendar or the business event creates a gap attackers can use.

Key terms

• Identity recovery: Identity recovery is the process of restoring trusted access, authentication, and privileged control after disruption. For ransomware, that means bringing back the accounts, directories, secrets, and administrative paths the business depends on, while ensuring the restored state is clean and authoritative.
• Material business event: A material business event is a corporate change that alters ownership, priorities, or access governance, such as a merger, acquisition, IPO, or layoff round. These events often create access ambiguity, delayed cleanup, and conflicting accountability that attackers can exploit.
• ITDR: Identity threat detection and response is the set of monitoring and response capabilities aimed at identity-based attacks. It is only effective when detection is paired with remediation and recovery, because alerting alone does not restore trust in compromised identity systems.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Semperis: 2025 Ransomware Holiday Risk Report. Read the original.