Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Holiday ransomware spikes: what IAM and SOC teams need to change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: 52% of organisations were targeted on holidays or weekends, while 60% saw attacks after mergers, acquisitions, IPOs, or layoffs, and 78% cut SOC staffing by half or more during those periods, according to Semperis. Reduced staffing and governance ambiguity create the conditions ransomware groups exploit.

NHIMG editorial — based on content published by Semperis: 2025 Ransomware Holiday Risk Report

By the numbers:

Questions worth separating out

Q: How should security teams prepare for ransomware during holidays and weekends?

A: Teams should treat holidays and weekends as predictable high-risk periods and keep escalation, identity monitoring, and recovery authority active.

Q: Why do mergers, acquisitions, and layoffs increase ransomware risk?

A: These events create ownership confusion, delayed access cleanup, and temporary permissions that outlive their purpose.

Q: What breaks when ITDR detects problems but cannot recover identity services quickly?

A: Detection alone does not stop ransomware if teams still need manual coordination to restore trusted access and rotate credentials.

Practitioner guidance

  • Keep identity response coverage on during low-staff periods Retain named escalation coverage for privileged access, account lockout, and recovery decisions on holidays and weekends.
  • Pre-stage ownership for corporate change windows Assign accountable owners for privileged accounts, partner access, and recovery authority before mergers, acquisitions, IPOs, or layoffs begin.
  • Test recovery procedures under constrained staffing Run tabletops and technical recovery drills that assume reduced SOC capacity, delayed approvals, and limited executive availability.

What's in the full report

Semperis' full report covers the operational detail this post intentionally leaves for the source:

  • Country and vertical breakdowns showing where holiday ransomware pressure is most concentrated.
  • Survey data on why organisations cut SOC staffing, including work/life balance, closed-business periods, and perceived attack timing.
  • The split between ITDR detection coverage, remediation procedures, and automated identity recovery.
  • The report's full methodology and response set across the surveyed countries.

👉 Read Semperis' ransomware holiday risk report →

Holiday ransomware spikes: what IAM and SOC teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Holiday timing is a governance problem, not just a staffing problem. The report shows ransomware groups deliberately choose periods when people, approvals, and escalation paths are thinnest. That means the control failure is structural: identity and incident workflows assume normal staffing levels, but attackers operate against the exception case. Practitioners should treat holidays and weekends as predictable high-risk operating states, not calendar noise.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable when ransomware hits during a major business event?

A: Accountability should sit with the owners of privileged access, identity recovery, and business change governance, not with the SOC alone. During mergers, acquisitions, or layoffs, response depends on clear authority over access decisions and system restoration. If that authority is unclear, containment slows and the blast radius grows.

👉 Read our full editorial: Ransomware risk spikes on holidays and material events



   
ReplyQuote
Share: