Holiday ransomware spikes: what IAM and SOC teams need to change

TL;DR: 52% of organisations were targeted on holidays or weekends, while 60% saw attacks after mergers, acquisitions, IPOs, or layoffs, and 78% cut SOC staffing by half or more during those periods, according to Semperis. Reduced staffing and governance ambiguity create the conditions ransomware groups exploit.

NHIMG editorial — based on content published by Semperis: 2025 Ransomware Holiday Risk Report

By the numbers:

• 52% of surveyed organizations in the U.S., UK, France, Germany, Italy, Spain, Singapore, Canada, Australia and New Zealand were targeted on holidays or weekends.
• 78% of companies cut security operation center (SOC) staffing by 50% or more during holidays and weekends.
• 60% of attacks occurred following an IPO, merger or acquisition, or round of layoffs.

Questions worth separating out

Q: How should security teams prepare for ransomware during holidays and weekends?

A: Teams should treat holidays and weekends as predictable high-risk periods and keep escalation, identity monitoring, and recovery authority active.

Q: Why do mergers, acquisitions, and layoffs increase ransomware risk?

A: These events create ownership confusion, delayed access cleanup, and temporary permissions that outlive their purpose.

Q: What breaks when ITDR detects problems but cannot recover identity services quickly?

A: Detection alone does not stop ransomware if teams still need manual coordination to restore trusted access and rotate credentials.

Practitioner guidance

• Keep identity response coverage on during low-staff periods Retain named escalation coverage for privileged access, account lockout, and recovery decisions on holidays and weekends.
• Pre-stage ownership for corporate change windows Assign accountable owners for privileged accounts, partner access, and recovery authority before mergers, acquisitions, IPOs, or layoffs begin.
• Test recovery procedures under constrained staffing Run tabletops and technical recovery drills that assume reduced SOC capacity, delayed approvals, and limited executive availability.

What's in the full report

Semperis' full report covers the operational detail this post intentionally leaves for the source:

• Country and vertical breakdowns showing where holiday ransomware pressure is most concentrated.
• Survey data on why organisations cut SOC staffing, including work/life balance, closed-business periods, and perceived attack timing.
• The split between ITDR detection coverage, remediation procedures, and automated identity recovery.
• The report's full methodology and response set across the surveyed countries.

👉 Read Semperis' ransomware holiday risk report →

Holiday ransomware spikes: what IAM and SOC teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →