A new report finds that the majority of ransomware attacks occur over weekends and holidays, but they’re even more common after mergers and acquisitions. Organizations may slash staffing by 50% or more during these periods, leaving them vulnerable to attack.
The analysis comes from Semperis, a global identity services and security firm that offers enterprise products including Active Directory, Entra ID, and Okta. Its new 2025 Ransomware Holiday Risk Report was based on insights from 1,500 security and IT leaders across 10 countries and eight industry sectors.
Despite high risk during weekends, holidays, and after corporate changes, ransomware attacks in 2025 were down slightly from a year ago, according to the Semperis report.
The same isn’t true for all corporate cyberattacks, though. The 2025 Comcast Business Threat Report released in October 2025 found 35 billion cybersecurity events this year and said the attacks are increasing in both the volume and velocity.
The Semperis report took a more targeted approach, breaking down ransomware attacks by country and by industry.
Telecom respondents said ransomware attacks occurred in the following frequency:
- After a material corporate event: 70%
- After a merger or acquisition: 53%
- After layoffs/redundancies: 46%
- After an initial public offering (IPO): 43%
In the US, 53% of those attacks occurred on a weekend or holiday.
Chris Inglis, the first U.S. national cyber director, told Semperis that ransomware attacks are designed to hit businesses when they’re most vulnerable.
Organizations face “ambiguity in governance and accountability” during these times and “cannot afford downtime, making them more likely to pay quickly to restore operations,“ he said in the report.
In addition to reporting the timing of ransomware attacks, the report analyzed staffing levels and identity threat detection and response (ITDR) strategies.
Among telecom companies, the report found that 75% of organizations reduce staffing on weekends and holidays, while 4% eliminate it altogether.
However, they don’t come to the battle without armor. Ninety-one percent of telecom respondents told Semperis they have an ITDR strategy, and the same percentage said they scan for identity vulnerabilities. Almost half (48%) also reported having vulnerability and remediation procedures, while 63% said they automate identity recovery.
In comparison, 93% of organizations surveyed across the U.S. have an ITDR strategy, but only 45% have vulnerability remediation procedures.
Unfortunately, having a plan isn’t the same as having an effective plan. A separate Semperis report, published in April 2025, found that cybersecurity plans aren’t always being well-executed. The biggest barriers to success were found to be the following:
- Cross-team communication gaps
- Out-of-date response plans
- Unclear roles and responsibilities
- Too many disparate tools
- Staffing shortages
