Ransomware Attacks Peak During Non-Traditional Business Hours

Post Views: 12

Ransomware Attacks Thrive Outside Business Hours, Fueled by Identity Compromise

A recent analysis of 661 incident response and managed detection cases has shed light on the tactics and techniques employed by attackers in the wild. The Sophos Active Adversary Report 2026, which covers cases handled between November 2024 and October 2025, reveals that identity-related root causes account for 67% of all initial access methods. This trend is particularly concerning, as it highlights the continued exploitation of weaknesses in authentication systems and user accounts.

Attackers’ Tactics and Techniques

The report’s findings indicate that attackers are increasingly relying on compromised credentials, brute-force attacks, phishing, and other forms of identity abuse to gain initial access to targeted systems. This approach allows them to bypass traditional security measures and move quickly to high-value targets, such as directory services.

In fact, the median time to reach Active Directory (AD) from the start of an intrusion is just 3.4 hours. This rapid progression underscores the importance of swift containment and highlights the need for robust monitoring and detection capabilities. AD remains a prime target for attackers, as it governs authentication, authorization, and policy enforcement across large portions of enterprise environments.

Impact and Consequences

The dataset reveals that the median dwell time for attackers is three days, providing ample opportunity for reconnaissance, credential harvesting, privilege escalation, and staging for ransomware or data theft. Furthermore, the report notes that the most disruptive stages of ransomware incidents often occur outside business hours, with 88% of encryption deployments and 79% of data exfiltration activities taking place during non-business hours.

The use of generative AI has also been observed in the dataset, although its impact is more incremental than revolutionary. Attackers are leveraging AI to improve the speed, volume, and personalization of phishing campaigns, making them more convincing and effective. However, the underlying access methods remain unchanged, and the technology is primarily acting as a force multiplier for existing techniques.

Recommendations and Conclusion

The report’s findings emphasize the need for organizations to prioritize identity security, implement robust monitoring and detection capabilities, and extend their security coverage beyond standard business hours. By doing so, they can reduce the risk of falling victim to ransomware and data theft, and minimize the impact of these attacks when they do occur.