Ransomware operators' workday
📊 AnalyticsYesterday, 07:04
Ransomnews published a study on the timing patterns of ransomware activity. The analysis is based on data covering 16,699 victims disclosed by 200 ransomware operators between May 2024 and May 2026.
Here are the key findings:
📅 Most victim disclosures are posted on weekdays, with Monday and Tuesday accounting for the largest share — 37% of all posts. Activity then declines toward the weekend, when only 16% of posts appear.
🕛 50% of victim disclosures fall within an eight-hour window from 18:00 to 01:00 Moscow time, which aligns with regular business hours on the U.S. East Coast from 11:00 to 18:00.
⛱ The highest posting activity occurs at the end of the calendar year, while during the summer months, threat actors reduce posting volume by 30%–40% compared to annual peaks.
📈 Despite the disappearance of several major operators, the ecosystem continues to fragment. In May 2024, there were 38 active brands, while by April 2026 that number had risen to 67.
📊 The three most active groups during this period were Qilin, Akira and RansomHub. Qilin and Akira remained active throughout the entire monitoring period (over 700 days each), while RansomHub, once among the market leaders, has shown no activity since April 2025.
The analysis shows that ransomware operators follow consistent temporal patterns: victim disclosures cluster on weekdays and within specific hours, showing clear seasonality. At the same time, the market continues to fragment — the disappearance of large players does not reduce overall activity, as their place is quickly taken by new brands. These trends indicate further institutionalization of the ransomware market and its resilience to the loss of individual actors, underscoring the need for continuous monitoring of emerging groups, regular updates of IOCs, and updating response playbooks.
Products
Published
2026-06-17, 07:04