Cybercriminals Exploit Weekend Lull to Launch Ransomware Attacks

Summary:
According to Semperis’ new report, 2024 Ransomware Holiday Risk, ransomware gangs often strike when defenses are the weakest. Semperis conducted a global study of 900 IT and security professionals. Based on the findings, 86% of participants who experienced a ransomware attack in the past 12 months were targeted on a weekend or holiday, when staffing is most likely to be reduced. Although 96% of surveyed organizations maintained a security operations center (SOC), the study found that 85% reduced their SOC staff by as much as 50% on holidays and weekends.

Notably, 63% of respondents experienced a ransomware attack following a material corporate event, with organizations in the finance sector most likely to be targeted by ransomware after such events, followed by IT/Telecom, Travel/Transportation, Healthcare, etc.

“Not only do these situations create the distractions that bad actors love to exploit, but attackers can often extract large ransoms from companies desperate to regain access to critical systems or prove operational competence ahead of a major transaction. In addition, such events create inherent identity security challenges,” states Semperis in its new report.

Some other key takeaways from the report:
  • 20% of responding organizations that have an identity recovery 20% plan DO NOT take cyber-specific use cases into account.
  • 17% DO NOT include measures to test for identity vulnerabilities.
  • 34 TEST their identity backups and identity recovery plan ONLY QUARTERLY—or less frequently.
  • 61% DO NOT include dedicated, Active Directory–specific backup systems, which are crucial to ensuring a fast, 61 malware-free recovery of the identity system.
Security Officer Comments:
Semperis identified several factors contributing to the reduced staffing levels in SOCs during holidays and weekends:
  • Organizations believed weekend and holiday coverage was unnecessary, especially since most employees work Monday through Friday or their businesses operate solely during weekdays.
  • Some organizations had never been targeted by ransomware or did notbelieve that they would be targeted.
  • To promote a healthy work-life balance, organizations opted to limit SOC staffing during these times.

Additionally, in some regions, labor laws mandate higher pay rates for holiday, overnight, or weekend shifts, which can result in significant financial costs that some organizations may not be able to afford.

Suggested Corrections:
Organizations should ensure continuous staffing of SOCs during weekends and holidays to defend against opportunistic ransomware attacks. Implementing automated threat detection and response systems can help bridge staffing gaps. Additionally, companies should proactively strengthen their identity security frameworks, integrating cyber-specific use cases into identity recovery plans and regularly testing for vulnerabilities. Adopting more frequent testing schedules for identity backups and recovery processes, as well as incorporating Active Directory-specific backup systems, will also enhance preparedness and minimize the risk of successful attacks during high-risk periods.

Link(s):
https://www.semperis.com/wp-content...s-semperis-ransomware-holiday-risk-report.pdf