2025年勒索软件假日风险报告

The majority of ransomware attacks continue to occurover weekends or holidays; an even larger share occursfollowing an M&A. “If you are not thinking about yourinfrastructure and protecting yourinfrastructure, which includes identitysystems … I don’t know what to say.There’s no other starting point.” In-house SOCs surge, but most organizations still slashstaffing by 50% or more during high-risk periods. HeatherCostaMayo Clinic Director of Technology Resilience ITDR strategies and identity vulnerability detection see wide adoption,but remediation and recovery capabilities are often lacking. The Balancing Act: Risk vs Resilience A proactive approach to identity threats can help leaders weighransomware risk against staffing and resource concerns. “We need to focus on resilience andhow to keep the business runningwhile we’re being attacked. We needto proceed in the assumption thatwe’ve been compromised … how dowe keep the business resilient?” Building business resilience requires an often complex calculation of cyber threat risk and a balance between mitigating that risk,conserving resources, and retaining security personnel. Understanding when ransomware is most likely to strike and how attackersseek to infiltrate your environment is an important factor in the success of these efforts. The2025 Ransomware Holiday Risk Reportanalyzes responses from10 countriesand8 industry sectorsacrossNorth America, Europe,the United Kingdom, and Asia Pacific, gathered in partnership with international research firm Censuswide. The report offers insight intoransomware attack behavior and defense trends and recommends steps that organizations can take to strengthen their cybersecuritypreparedness. Share these findingswith your IT, security, and business stakeholders, and leverage the expert insights to improve yourcyber crisis response planning. SeanDeubySemperisPrincipal Technologist(Americas) KEY FINDINGS Identity security plans lackremediation and recovery capabilities SOCs move in-house but continueto slash off-hours staffing Most attacks occur during times ofdistraction or disruption of surveyed organizations thatmaintain a security operations center(SOC) say they now do so internally;78%of respondents with a SOCcut staffing by50% or moreduringweekends and holidays. of respondents say they have solutionsand procedures in place to detect identitysystem vulnerabilities, but only45%have vulnerability remediationprocedures and only63%automateidentity system recovery. of reported ransomware attackswithin the past 12 monthsoccurred on a weekend orholiday;60%of attacks followed amaterial event such as a merger,acquisition, or round of layoffs. CONTRIBUTING EXPERTS TABLE OFContents Heather Costa Mayo Clinic Director of Technology Resilience Simon Hodgkinson Former bp CISO | Semperis Strategic Advisor Chris Inglis Former US National Cyber Director |Semperis Strategic Advisor No Time Off for Ransomware Malcolm Turnbull SOC Staffing Challenges Readiness, Response … and Recovery Sean Deuby Semperis Principal Technologist (Americas) Crunching the Numbers: A Proactive Plan for Resilience James DoggettSemperis CISO Appendix:Ransomware Risk by Country and Industry Courtney GussSemperis Director of Crisis Management Jeff Wichman Semperis Director of Incident Response 52% No Time Off for Ransomware Attackers continue to target periodsof distraction and disruption. “When you go into a mergeror acquisition, cyberdue diligence tends to be anafterthought. By the time IT or securityidentifies necessary fixes, your attacksurface has already grown by whatyou’ve acquired.” As noted in theSemperis 2025 Ransomware Risk Report, this year’sstudy showed an overall drop in the frequency of ransomwareattacks.* Still, more than half (52%) of global study respondentswho reported being targeted said that the attack occurred during aweekend or holiday. “While attacks on holidays and weekends have dropped, they still makeup the majority,” notes Chris Inglis, former US National Cyber Director.“Staying alert is imperative because persistent and patient attackerswill strike again if our vigilance fades.” SimonHodgkinsonFormerbp CISO| SemperisStrategic Advisor of ransomware attacks occurredafter a material corporate event In addition,60%of ransomware attacks reportedly took place aftera material corporate event, making such times the period of highestrisk. Of those attacked after such an event, the majority (54%) reportedbeing targeted following a merger or acquisition. “Corporate material events such as mergers and acquisitions often create distractions and ambiguity ingovernance and accountability—exactly the environment ransomware groups thrive on,” says Inglis.“Worse, organizations are under intense pressure to sustain operations while transforming their form andprotocols during an IPO or merger and cannot afford downtime, making them more likely to pay quicklyto restore operations. after layoffs/redundancies afte