GUEST RESEARCH: ANZ organisations should prepare for a surge in ransomware attacks during holidays, weekends, and major corporate events, when cybersecurity staffing is its weakest
Semperis, a leading provider of AI-powered identity security and cyber resilience, today released results from a global ransomware study underscoring that the majority of ransomware attacks continue to occur on holidays and weekends, when cybersecurity staffing is reduced. In addition, the study shows ransomware groups also intensify their attacks during corporate material business events, including mergers, acquisitions, IPOs, and layoffs, to exploit organisational disruption and reduced security focus.
“Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks. Vigilance during these times is more critical than ever because the persistence and patience attackers have can lead to long lasting business disruptions,” said Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor. “In addition, corporate material events such as mergers and acquisitions often create distractions and ambiguity in governance and accountability – exactly the environment ransomware groups thrive on.”
“As ransomware campaigns grow more sophisticated, one truth has become clear: Cyber resilience is not the sole responsibility of the IT department; it is a collective obligation across the entire organisation” said Malcolm Turnbull, former Prime Minister of Australia and Strategic Advisor at Semperis.
“One of the most effective ways to defend against ransomware attacks is by tightening identity systems, most commonly Active Directory, Entra ID, and Okta. These are the digital keys that determine who can access what within an organisation. In nearly every major ransomware incident, weak or compromised credentials have been the initial entry point. Strengthening identity systems is therefore not just good practice but a critical line of defence.”
The report, titled 2025 Holiday Ransomware Risk Report, found that 52% of surveyed organisations in the U.S., UK, France, Germany, Italy, Spain, Singapore, Canada, Australia and New Zealand were targeted on holidays or weekends. Alarmingly, 78% of companies cut security operation centre (SOC) staffing by 50% or more, during holidays and weekends, while 6% cut their SOC staffing entirely during these same times. 60% of attacks occurred following an IPO, merger or acquisition, or round of layoffs.
Key Australia/New Zealand findings:
- 52% of ransomware attacks in occurred on a weekend or holiday, and 81% occurred after a material corporate event (i.e. merger or acquisition, IPO, layoffs).
- Ransomware attacks most frequently followed layoffs or redundancies in ANZ (54%)
- 85% of organisations with an in-house SOC reduce staffing by 50% or more on weekends and holidays, increasing their vulnerability. 7% eliminate SOC staffing.
- Almost two-thirds of organisations (63%) said they reduced staffing to provide better work/life balance.
- Concerningly, a third (35%) of organisations reduced staffing as they “didn’t think they’d be attacked” on a weekend.
- Identity threat detection and response (ITDR) plans gain traction in ANZ, with92%of respondents reporting that their plans detect identity system vulnerabilities. However, only 47% of plans include remediation procedures, and only 62% automate identity system recovery.
The full ransomware study, which includes breakdowns of responses by vertical market and by country is available here: 2025 Ransomware Holiday Risk Report.
For more information about how Semperis helps global organisations improve cyber resilience, visit the Semperis Identity Resilience Platform page: at https://www.semperis.com/identity-resilience-platform/.