Ransomware

Ransomware leak posts show weekday peak, October spikes

Per Security Affairs, a recent analysis of 16,699 ransomware leak-site posts from over 200 groups over two years reveals a distinct pattern in operational timing, challenging the common perception of nocturnal hackers.

The data analyzed by the Ransomnews Research Team indicates that ransomware operations largely follow a business week, with significantly fewer posts on Sundays compared to Mondays and Tuesdays. Fifty percent of all posts occurred between 15:00 and 22:59 UTC, aligning with European business hours, suggesting operators are based in Eastern Europe or Russia. This contradicts the popular image of hackers operating in the middle of the night. Seasonally, October shows a yearly spike in activity, while the period from May to August is notably slower.

The analysis also highlights a rapid growth in the number of active ransomware groups, nearly doubling from May 2024 to April 2026, with 67 distinct brands posting in April 2026. Despite law enforcement efforts, new groups quickly emerge to replace defunct ones, indicating a dynamic and expanding threat landscape. The high mortality rate of ransomware brands suggests that defense strategies focusing on prominent groups may miss the majority of ongoing threats from the long tail of smaller operations.

Source: Security Affairs

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds