Ransomware Operators Favor Business Hours, Data Shows 84% of Leak Posts Monday‑Friday
What Happened — An analysis of 16,699 ransomware leak‑site posts from 200 groups over two years reveals that 84 % of activity occurs Monday‑Friday, with a peak between 15:00‑22:59 UTC (11:00‑18:00 US E, 16:00‑23:00 CET). October consistently spikes activity, while weekends see a sharp drop.
Why It Matters for TPRM —
- Incident‑response staffing should align with attacker work‑hours, not the “3 am hacker” myth.
- Threat‑monitoring rules can be tuned to prioritize alerts during identified high‑activity windows.
- Seasonal spikes (October) warrant heightened vigilance and readiness reviews.
Who Is Affected — All industries that rely on ransomware‑resilient controls, especially technology/SaaS providers, MSPs/MSSPs, financial services, and critical infrastructure that may be targeted by the 200‑plus ransomware groups studied.
Recommended Actions —
- Align SOC shift schedules to ensure coverage during 15:00‑22:59 UTC.
- Harden detection rules for ransomware‑related C2 traffic and leak‑site activity in that window.
- Conduct a seasonal risk review ahead of October, updating response playbooks and communication plans.
Technical Notes — The study is based on public leak‑site postings; no specific CVE or malware family is identified. Activity correlates with Eastern‑European time zones, suggesting geographic concentration of operators. Data types leaked include credential dumps, exfiltrated documents, and ransomware decryption keys. Source: Security Affairs