Ransomware Operators Keep Business Hours. The Data Proves It

The timing data overturns the cinematic image of hackers working in the dead of night. By concentrating 50% of all leak posts between 15:00 and 22:59 UTC, ransomware operators align their activities with European office hours, which translates to mid‑morning to early evening on the U.S. East Coast. For security operations centers, this means that the lightest staffing periods should be scheduled for Tuesdays rather than weekends, and that automated monitoring must be tuned to capture bursts during these windows.

Seasonality adds another layer of predictability. October consistently produces a surge of disclosures—611 posts in 2024 and 1,029 in 2025—while the May‑August stretch sees a 30‑40% dip. Simultaneously, the ransomware ecosystem is fragmenting: the number of distinct brands posting in a single month jumped from 38 in May 2024 to 67 by April 2026, and the top‑10 operators turnover faster than most intelligence programs can track. High‑profile takedowns, such as the shutdown of RansomHub, merely redistribute tooling and expertise to newer, smaller groups.

For defenders, the strategic implication is clear: threat‑intel programs must move beyond static top‑10 watchlists and adopt a population‑centric approach. Continuous monitoring of the long tail—tracking emerging brands, their posting cadence, and geographic hotspots—offers a more resilient posture against a rapidly expanding adversary pool. Integrating these timing and seasonality insights into incident‑response playbooks can reduce dwell time, improve resource allocation, and ultimately blunt the business impact of ransomware attacks.