Ransomware attacks surge in Australia & New Zealand on holidays

Australian and New Zealand organisations are facing heightened cyber risks as ransomware groups increasingly target periods of reduced security staffing, a new study has found. Attackers are timing their campaigns to coincide with weekends, holidays, and major corporate events, exploiting operational disruption and decreased vigilance.

Targeted timing

More than half of ransomware attacks affecting organisations in Australia and New Zealand occur during weekends or public holidays, according to findings from the 2025 Holiday Ransomware Risk Report. During these times, security coverage is typically weakened as many companies reduce their cybersecurity teams. The report found that 85% of local organisations with an in-house Security Operations Centre (SOC) cut staffing by at least half on weekends or public holidays, and a further 7% have no SOC personnel during these periods.

Corporate events risk

Ransomware groups are also exploiting periods of organisational upheaval, with 81% of reported attacks taking place after a significant corporate event such as a merger, acquisition, initial public offering, or layoffs. Notably, 54% of attacks in the region occurred specifically after layoffs or redundancies, suggesting that financially or structurally stressed businesses are especially vulnerable.

Staffing blind spots

The data highlights a clear security gap, with nearly two-thirds of organisations stating they reduce staffing levels to provide work/life balance for employees. However, 35% admitted they did so due to a belief that attacks were unlikely to occur over the weekend, underscoring a complacency gap. Insurers have warned that insufficient security monitoring during weekends could have implications for cyber insurance coverage, as increased claims in the region are now being scrutinised for staffing adequacy during incidents.

Identity system exposure

Attackers are increasingly leveraging generative AI to develop detailed profiles of target organisations, including research into staffing rosters, public holidays, and key corporate announcements. This intelligence is used to time attacks when companies are most vulnerable. The report shows that in almost all major ransomware cases, compromised credentials were the entry point. While 92% of surveyed organisations in the region have identity threat detection and response procedures, only 47% include specific remediation processes and just 62% have automated recovery capabilities.

Expert warnings

"Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks. Vigilance during these times is more critical than ever because the persistence and patience attackers have can lead to long lasting business disruptions," said Chris Inglis, Strategic Advisor, Semperis.

Malcolm Turnbull, Strategic Advisor at Semperis, said, "As ransomware campaigns grow more sophisticated, one truth has become clear: Cyber resilience is not the sole responsibility of the IT department; it is a collective obligation across the entire organisation."

"One of the most effective ways to defend against ransomware attacks is by tightening identity systems, most commonly Active Directory, Entra ID, and Okta. These are the digital keys that determine who can access what within an organisation. In nearly every major ransomware incident, weak or compromised credentials have been the initial entry point. Strengthening identity systems is therefore not just good practice but a critical line of defence," said Turnbull.