Bah, Humbug! Ransomware Spikes During Holidays: Semperis Report

The report also found surges on weekends and after major corporate events like acquisitions.

While the holidays bring joy and good spirits to many, they may also bring headaches for CIOs and CISOs.

A new report from cybersecurity company Semperis found that 52 percent of organizations surveyed were hit with a ransomware attack during the holidays or weekends.

Here’s an eye-opener: Eighty percent of ransomware attacks occur after a major business event like a merger, acquisition, IPO or a round of layoffs, Semperis’ 2025 Ransomware Holiday Risk Report also found.

The report analyzed responses from companies in 10 countries and eight industry sectors across North America, Europe, U.K. and Asia-Pacific, gathered in partnership with research firm Censuswide.

The main reason why these attacks increase during times of distraction is pretty obvious: a reduction in staffing.

Seventy-six percent of organizations surveyed had a Security Operations Center. Yet, 78 percent of the organizations with a SOC cut staffing by 50 percent or more during holidays and weekends.

The No. 1 reason the survey respondents cited for the staff reduction during those periods is steeped in good intent—to give employees a better work and life balance.

And as to why organizations are more vulnerable to attacks during times of disruption:

“Corporate material events such as mergers and acquisitions often create distractions and ambiguity in governance and accountability—exactly the environment ransomware groups thrive on,” said Chris Inglis, former U.S. National Cyber Director, in the report. “Worse, organizations are under intense pressure to sustain operations while transforming their form and protocols during an IPO or merger and cannot afford downtime, making them more likely to pay quickly to restore operations,” said Inglis.

Semperis’ report offered suggestions for organizations to help ward off attacks during times of distraction:

“Being able to see what’s happening might enable organizations to pivot and adapt faster based on changing operations, business needs and regulatory reporting requirements,” said Courtney Guss, director of crisis management, Semperis, in a statement in the report. “The ROI of outsourcing also seems to be shifting as AI begins to handle some Tier 1 work, leaving the more complex work for SOC analysts,” Guss said.

“If you ever want your employees to be out for the holiday, you need to plan and prepare,” Jeff Wichman, director of incident response at Semperis, was quoted as saying in the report. “You need to have some type of monitoring, even if it’s third-party monitoring with extra diligence over that period. There is no time off.”

Attackers leverage weak or compromised credentials in Active Directory, Entra ID, Okta and other identity platforms.

The report suggests that organizations look to modernize their identity platforms before a major announcement like a merger or acquisition.

Access Semperis’ full report including its methodology here.