Semperis has released new global research confirming that ransomware actors continue to time their attacks for weekends, public holidays and major corporate events—precisely when security teams are least prepared to respond. The findings highlight an urgent need for Australian and New Zealand organisations to strengthen identity systems and maintain vigilance during periods of reduced staffing.
The 2025 Holiday Ransomware Risk Report shows that 52% of organisations across ten countries—including Australia and New Zealand—experienced ransomware attacks during weekends or holidays. The study also found that 60% of attacks occurred around material business events such as mergers, acquisitions, IPOs and layoffs, when governance is disrupted and security focus is diverted.
Chris Inglis, former U.S. National Cyber Director and now a strategic advisor to Semperis, said adversaries are intentionally exploiting predictable drops in security coverage. “Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks,” he said. “The persistence and patience attackers have can lead to long-lasting business disruptions. Corporate material events… create distractions and ambiguity in governance and accountability – exactly the environment ransomware groups thrive on.”
Malcolm Turnbull, former Prime Minister of Australia and strategic advisor at Semperis, said the findings reinforce that cyber resilience is now a whole-of-organisation responsibility. “As ransomware campaigns grow more sophisticated, one truth has become clear: Cyber resilience is not the sole responsibility of the IT department; it is a collective obligation across the entire organisation,” he said.
He noted that hardening identity systems—such as Active Directory, Entra ID and Okta—is among the most effective defences. “In nearly every major ransomware incident, weak or compromised credentials have been the initial entry point. Strengthening identity systems is therefore not just good practice but a critical line of defence.”
The study identifies concerning trends across Australia and New Zealand. More than half (52%) of attacks occurred during weekends or holidays, and 81% followed significant corporate disruptions such as mergers, acquisitions or layoffs. Layoff-related turmoil was a dominant precursor in ANZ, with 54% of attacks occurring after redundancy cycles.
Staffing gaps remain a core issue: 85% of organisations with in-house SOCs reduce staffing by at least half during weekends and holidays, and 7% eliminate SOC coverage entirely. While 63% cited the need to improve work/life balance, more troubling is that 35% cut security coverage because they “didn’t think they’d be attacked” during off-hours.
The findings also show momentum in identity threat detection and response (ITDR) initiatives across the region. A strong majority (92%) of ANZ organisations say their ITDR plans can detect vulnerabilities in identity systems. However, only 47% include remediation procedures, and just 62% automate identity system recovery—leaving most enterprises exposed during high-pressure incidents.
Semperis says the data points to a critical gap between awareness and action. Attackers are exploiting human and operational patterns, and organisations must assume that off-hours windows are now deliberate targets. Improved identity system resilience, automated recovery, 24/7 monitoring and clearer governance during corporate transitions remain essential to reducing risk.
The full Semperis 2025 Holiday Ransomware Risk Report, including industry and country-specific breakdowns, is now available.
You can read the full report here.
