Per Security Affairs, a recent analysis of 16,699 ransomware leak-site posts from over 200 groups over two years reveals a distinct pattern in operational timing, challenging the common perception of nocturnal hackers.The data analyzed by the Ransomnews Research Team indicates that ransomware operations largely follow a business week, with significantly fewer posts on Sundays compared to Mondays and Tuesdays. Fifty percent of all posts occurred between 15:00 and 22:59 UTC, aligning with European business hours, suggesting operators are based in Eastern Europe or Russia. This contradicts the popular image of hackers operating in the middle of the night. Seasonally, October shows a yearly spike in activity, while the period from May to August is notably slower.The analysis also highlights a rapid growth in the number of active ransomware groups, nearly doubling from May 2024 to April 2026, with 67 distinct brands posting in April 2026. Despite law enforcement efforts, new groups quickly emerge to replace defunct ones, indicating a dynamic and expanding threat landscape. The high mortality rate of ransomware brands suggests that defense strategies focusing on prominent groups may miss the majority of ongoing threats from the long tail of smaller operations.Source: Security Affairs
Ransomware
Ransomware leak posts show weekday peak, October spikes

An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



