Ransomware operators tend to follow a traditional Monday-to-Friday schedule, with a significant 84% drop in activity outside of these hours. Analysis of 16,699 leak-site posts from 200 groups over two years reveals that these cybercriminals peak during European afternoon hours, suggesting they may be based in or coordinating with individuals in this region. Additionally, the data shows a notable spike in ransomware activity every October1. This pattern challenges the common perception of ransomware attacks occurring at random hours, instead indicating that operators often adhere to a standard workweek. The growing population of ransomware operators and their predictable schedules underscore the importance of operational resilience planning for network defenders. This information matters to practitioners because it highlights the need to adjust defense strategies to account for the increasingly organized and scheduled nature of ransomware attacks.
Ransomware Operators Keep Business Hours. The Data Proves It
⚡ High Priority
Why This Matters
Ransomware targeting Intel highlights sector-specific risk — operational resilience planning is the real takeaway.
References
- SecurityAffairs. (2026, June 1). Ransomware Operators Keep Business Hours. The Data Proves It. SecurityAffairs. https://securityaffairs.com/192969/cyber-crime/ransomware-operators-keep-business-hours-the-data-proves-it.html
Original Source
SecurityAffairs
Read original →