The vast majority of ransomware attacks against the corporate sector occur during after hours, mainly at night and on weekends. According to the US security firm, FireEye report released, “in 76% of incidents we reviewed, ransomware was executed in victim environments after hours, that is, on a weekend or before 8:00 a.m. or after 6:00 p.m. on a weekday, using the time zone and customary work week of the victim organization. This observation underscores that threat actors continue working even when most employees may not be.”
The most important reason why hackers choose to launch ransomware attacks during after-hours is that there is often insufficient IT staffing during these periods, the probability of infection is greater, and they can infect more devices. Even if a ransomware attack did trigger a security alert within the company, but no one immediately responded and shut down the network, and couldn’t respond effectively before the ransomware was encrypted.
Cybersecurity companies say that ransomware will further infect all of the company’s networks, taking the time to move them horizontally to as many workstations as possible, then manually installing ransomware on all systems and triggering the infection. “The good news is that particularly with post-compromise infections, there is often a window of time between the first malicious action and ransomware deployment. If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection,” FireEye said.