Over half of organizations that experienced a ransomware event in the past year were hit during a weekend or holiday, according to a Semperis report. Those periods often come with thin staffing, slower investigation, and fewer eyes on identity systems. Intruders know that reduced attention allows them to move deeper before alarms are raised.
60% of incidents happened after a merger, acquisition, restructuring, or similar shift inside the business. The most common trigger was an M&A effort. When identity environments are being consolidated, inconsistencies appear. Attackers look for these weak points and move quickly when they find them.
Global results vary by region and sector, but the pattern is the same. Threat groups prefer moments when internal teams are busy, distracted, or reorganizing critical systems.
SOC staffing choices create gaps
Three quarters of respondents operate an in house SOC. Staffing drops sharply during weekends and holidays. 78% cut SOC coverage by at least half during those periods, and 6% leave the SOC empty.
The most common reason for reduced coverage is the desire to support work-life balance. Another frequent reason is that the organization is closed outside the workweek. A smaller group believes an attack is unlikely during those hours. That assumption continues to decline, which signals some movement toward an assume breach mindset.
“Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks. Vigilance during these times is more critical than ever because the persistence and patience attackers have can lead to long lasting business disruptions,” said Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor.
These staffing patterns create openings that adversaries understand. Automated alerting helps, as do outsourced monitoring arrangements and triage processes. What does not help is an extended stretch with no one watching identity systems while attackers are active during off hours.
Detection is strong, recovery lags
Identity security has become a standard part of ransomware defense. 90% of respondents have an identity threat detection and response strategy. Most perform vulnerability scans across their identity platforms, which reduces exposure to credential misuse.
The gap appears in follow through. Only 45% have procedures to fix the weaknesses they discover. Without remediation, visibility alone cannot stop attackers. Intruders need only one exposed path. If fixes sit unattended, that path stays open.
Recovery planning follows a similar trend. Two thirds include Active Directory recovery in disaster plans. Fewer include recovery processes for cloud identity systems. 63% automate identity recovery. Manual rebuilds are slow and often extend downtime. Past incidents have shown that the speed of identity restoration determines how quickly the business can function again.
Identity complexity during mergers increases risk
When two organizations combine, leaders often focus on business conditions and cost alignment, while identity design receives attention later. During domain consolidation and trust changes, inconsistencies appear, including stale accounts, weak controls, and unclear access paths.
Early identity planning during transactions would reduce these issues. Treating identity as part of due diligence rather than a late integration step would uncover problems before they embed themselves in the merged environment.
Teams are exploring AI driven tools to reduce pressure on SOC analysts. These tools can help with triage and correlation tasks. They do not replace staffing during high risk periods. Security leaders should understand where automation is helpful and where it cannot fill coverage gaps. AI agents also introduce new machine identities that must be secured.