A study analyzing 16,699 ransomware leak posts over two years reveals that ransomware operators primarily operate during business hours, peaking in the European afternoon, challenging the common narrative of nocturnal hackers. Key findings indicate that the number of posts decreases significantly on weekends, with Tuesday being the highest activity day. Additionally, October sees a spike in activity, while the overall ransomware operator population is growing, with notable increases in distinct brands.
The study suggests that defense strategies should focus on operational patterns rather than just headline brands, as many smaller, active operations can be overlooked.