Back

Ransomware Operators Exhibit Predictable Business Hours

Severity: Low (Score: 33.9)

Sources: Securityaffairs.Co

Published: 2026-06-01 · Updated: 2026-06-01

Keywords: ransomware, hours, posts, operators, keep, business, data

Severity indicators: ransomware, rat

Summary

An analysis of 16,699 ransomware leak posts over two years reveals that ransomware operators tend to operate during specific business hours, with an 84% drop in activity from Monday to Friday. The data shows peak activity during European afternoon hours and notable spikes in October each year. This trend suggests a level of organization and predictability in ransomware operations, which could be leveraged for defensive strategies. The analysis covers 200 groups and provides insights into the timing of ransomware attacks, offering valuable information for cybersecurity professionals. Understanding these patterns can help organizations better prepare and respond to potential ransomware threats. Key Points: • Ransomware activity drops 84% during weekdays, peaking in European afternoons. • The study analyzed 16,699 posts from 200 ransomware groups over two years. • October sees consistent spikes in ransomware activity annually.

Detailed Analysis

**Impact** The analysis covers 16,699 ransomware leak posts from 200 ransomware groups over two years, indicating widespread targeting across multiple sectors and geographies, with a notable focus on European time zones. The data shows a significant operational pattern with an 84% reduction in activity during Monday to Friday business hours and annual spikes in October. This suggests that victims across industries are at risk during specific time windows, potentially affecting data confidentiality and operational continuity. **Technical Details** The ransomware operators primarily use leak sites to publish stolen data, with activity peaking during European afternoon hours. No specific malware families, CVEs, or attack vectors are detailed in the articles. The timing pattern suggests a kill chain stage focused on data exfiltration and public exposure aligned with operator business hours. No IOCs or infrastructure specifics are provided. **Recommended Response** Defenders should prioritize monitoring ransomware leak sites and network traffic during European afternoon hours and October for increased activity. Implement enhanced detection for data exfiltration and lateral movement during these periods. Since no specific vulnerabilities or malware are identified, focus on general ransomware defenses, including regular backups, patch management, and user awareness training.

Source articles (2)

  • Ransomware Operators Keep Business Hours. The Data Proves It — Securityaffairs.Co · 2026-06-01
    16,699 ransomware leak posts over 2 years show 84% drop Monday–Friday, peak at European afternoon hours. October spikes yearly. Someone analyzed 16,699 ransomware leak-site posts across 200 groups ove…
  • Ransomware Operators Keep Business Hours. The Data Proves It — Securityaffairs.Co · 2026-06-01
    16,699 ransomware leak posts over 2 years show 84% drop Monday–Friday, peak at European afternoon hours. October spikes yearly. Someone analyzed 16,699 ransomware leak-site posts across 200 groups ove…

Timeline

  • 2026-06-01 — Ransomware business hours analysis published: A comprehensive analysis reveals ransomware operators maintain predictable business hours, with significant drops in activity during weekdays.

Related entities

  • Ransomware (Attack Type)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed