We pulled every ransomware leak-site post we could observe over the past 24 months. The corpus came in at 16,699 distinct victim listings from 200 groups. We then asked the obvious question almost nobody answers with real data: when does ransomware actually fire? The picture is clean. Ransomware runs on office hours. 84% of leak posts land Monday through Friday. Half of all activity happens in just 8 UTC hours, centred on the European afternoon and US morning. October is open season every year. And the operator population is still growing, not consolidating.
Ransomnews Research Team. Window: 13 May 2024 to 13 May 2026. Corpus: every observed leak-site post across 200 distinct group brands.
Key takeaways
- Workweek calendar. 84% of all leak posts land Monday to Friday. Monday and Tuesday together carry 6,153 posts; Saturday and Sunday combined only 2,715.
- Peak window is European afternoon. 50% of all activity falls in just 8 UTC hours (15:00 to 21:00). That maps to 11:00 to 17:00 US Eastern, 16:00 to 22:00 Central European. Operators publish during working hours, not midnight.
- October is open season. Every year the corpus shows an October spike. February 2025 (1,004 posts) and December 2025 (1,007 posts) set single-month records.
- Ecosystem keeps growing. The active group population nearly doubled in 24 months: from 38 groups in May 2024 to 67 in April 2026. Consolidation is the opposite of what is happening.
- Half the cohort is already dead. Of 178 groups that posted 5+ times, 87 have gone dormant (no posts in 90+ days). Ransomware operator lifespan is short and getting shorter.
- One operator does a Mondays equivalent of a small breach team’s week. The most-active single day in the corpus was a Monday in February 2025 with 263 victim posts in 24 hours.

How does ransomware activity break down by day?
The day-of-week pattern is the single most useful chart in the dataset. Ransomware operators publish leak-site listings overwhelmingly during the working week. Monday absorbs 3,080 posts over the 24 months, Tuesday almost the same at 3,073. The volume then tapers slightly through the week and falls off a cliff on Saturday and Sunday.

The mythology around ransomware involves anonymous hooded figures hammering keys at 3am. The data says the opposite. The operators who post leak-site listings are running this as a business with a working week. Sunday is the slowest day in the corpus, with only 1,189 posts across all 200 groups over 24 months, less than 40% of Monday’s volume.
The practical consequence for defenders is that Monday morning and Tuesday morning, US time, are the windows where new disclosures are most likely. If your incident-response team has a quieter shift, it is not the weekend.
What hour do leak-site operators actually publish?

The hour-of-day distribution is even more striking. The 8-hour window from 15:00 to 22:59 UTC captures 50% of all 16,699 leak posts. That single block translates roughly to:
- 11:00 to 18:00 US Eastern. Lunch through end of day.
- 16:00 to 23:00 Central European. Late afternoon into evening.
- 18:00 to 01:00 Moscow time. Late evening, leaning into night.
This is consistent with operators sitting in Eastern Europe, the Balkans, or Russia, publishing during their own working hours. It is not consistent with the Western popular image of nocturnal hackers. The 04:00 UTC hour is the dataset’s quietest, with just 215 posts across two years, less than one post every four days globally.
For a global incident response team that needs to be ready for new public disclosures, the peak coverage window is the European afternoon. Asia-Pacific defenders dealing with European or Russian operators will routinely wake up on Tuesday morning to find that overnight produced a fresh batch of leaks.
Is there a calendar season for ransomware?

Yes, and it shows up in two patterns. The first is the October peak. October 2024 hit 611 posts; October 2025 hit 1,029. November also runs above the annual average in both years observed. The October spike is consistent with operators ramping up activity before the end-of-year freeze that comes with Western holidays and corporate budget cycles.
The second pattern is the summer lull. The May to August window is consistently softer than the rest of the year. Operators do not pause entirely, but volume drops 30 to 40% relative to October. Whether this reflects operator vacations, victim IT teams being out, or both, the seasonality is real.
Two single months broke records during the window: February 2025 with 1,004 posts and December 2025 with 1,007. February 2025 in particular was dominated by a single very productive day, 24 February, when 263 victim posts were observed in 24 hours, the busiest single day across the entire corpus.
Is the ransomware ecosystem consolidating or growing?

Growing. This is the finding that contradicts the standard industry narrative about a few mega-operators dominating. In May 2024 we observed 38 distinct ransomware brands posting in a single month. In April 2026 we observed 67. The active population has nearly doubled.
The fragmentation is what comes out of takedowns and law-enforcement actions. After Conti dissolved in 2022, the affiliates and tooling dispersed into a long tail of smaller brands. The Operation Cronos disruption of LockBit in early 2024 had the same effect at smaller scale. RansomHub’s shutdown in early 2025 was followed by a noticeable bump in newcomer brands, including The Gentlemen, which started posting in September 2025 and accumulated 408 victims in 246 days, an average of 1.7 per day.
The other side of this is the cost. Of 178 groups in the corpus with 5 or more posts (filtering out one-off appearances), 87 are now dormant, defined as no posts for 90 or more days. That is 49% mortality at this small filter, over 24 months. Ransomware operator brands live fast and die young. The median operator lifecycle in our corpus looks closer to a year than to the multi-year-dynasty mythology around LockBit or Cl0p.
Who actually dominates the leak boards?

Qilin is the new flagship operation, posting 1,690 victims over 731 active days, averaging 2.3 leaks per day across the window. Akira sits second with 1,124. Both have been continuously operational across the entire 24 months and show no signs of slowing.
The story under the top two is more interesting. RansomHub, which was the volume leader in 2024 with 801 victims in just 322 days, has been dormant since early April 2025. That is the highest-volume operator in the corpus that is now functionally dead. Its absence is part of what made room for The Gentlemen and other late-2025 entrants.
The other working flagships, in order, are Play, Cl0p, INC Ransom, SafePay, DragonForce, Lynx, and The Gentlemen. All of these post regularly. SafePay, which only started in November 2024, has accumulated 475 victims in 534 days and is one of the faster-growing brands in the dataset.
What does any of this mean for defenders?
Three concrete things, in order of how cheap they are to act on.
First, staff your incident response calendar around the actual data, not the myth. Monday and Tuesday morning, US time, are when new public disclosures are most likely to drop. The traditional Friday-afternoon ransomware deployment story is real for the encryption event itself, but the leak-site publication that follows is a Monday morning problem. If you have on-call rotation, weight it accordingly.
Second, treat October as an alert window. Every year in the corpus shows an October spike that runs into November. Whether the cause is operator effort or victim distractedness around quarter-end is open. The pattern is consistent enough that security teams should not be running their major change-freeze or major holiday-staffing reductions in October.
Third, think in terms of the population, not the headliners. The takedown narrative around LockBit, AlphV, or RansomHub matters less than it used to because the operator population is growing fast. There are 200 brands in the 24-month corpus, with 67 active at peak. Any defence strategy that tracks a top-10 list will miss the long tail that is doing most of the post-2025 work.
Frequently asked questions
How many ransomware leak-site posts were analysed?
16,699 distinct victim listings from 200 ransomware brands, observed over 24 months between 13 May 2024 and 13 May 2026.
What percentage of leak posts happen on weekends?
16.3% across the 24-month window. Workday volume is over five times Sunday volume. 84% of activity falls Monday through Friday.
What is the peak hour for ransomware leak-site posts?
16:00 UTC is the single busiest hour with 1,334 posts. The 8-hour window from 15:00 to 22:59 UTC captures 50% of all activity, which corresponds to European afternoon and US morning to early afternoon.
Which month sees the most ransomware activity?
October consistently peaks. October 2024 was 611 posts; October 2025 was 1,029. February 2025 was the single-largest month at 1,004, driven mainly by a 263-post single day on 24 February.
Is the ransomware ecosystem consolidating?
The opposite. The active group population has nearly doubled, from 38 in May 2024 to 67 in April 2026. Post-takedown affiliate dispersal keeps producing new brands.
What is the highest-volume ransomware group right now?
Qilin, with 1,690 victims observed over the 24 months and continuing to post at roughly 2.3 victims per day. Akira is second with 1,124. RansomHub, the previous volume leader, has been dormant since April 2025.
How long do ransomware groups usually last?
Shorter than the headline brands suggest. Of 178 groups that posted 5+ times in the corpus, 87 are now dormant after 90+ days of silence. The mortality rate is close to 49% over 24 months. The Conti, LockBit, and Cl0p dynasties are the exceptions, not the rule.
Sources and methodology
- Ransomnews leak-site corpus, observed posts between 13 May 2024 and 13 May 2026 (16,699 records, 200 distinct group names).
- All timestamps are UTC as observed at the moment of discovery, not victim-local time.
- Group names are taken as published on the operator’s leak-site infrastructure. Known rebrands are counted separately because they typically represent distinct affiliate teams.
- “Dormant” is defined as no observed post in the 90 days prior to the corpus cut-off date.
- “5+ post” filter applied to lifespan analysis to exclude one-off appearances and partial scrapes.
- Single-operator mass-drops can skew single-day metrics. The record day in this corpus (24 February 2025, 263 posts) was driven by Clop’s bulk release during the Cleo MFT exploitation campaign, with 235 of the 263 posts attributed to Clop. Re-running the headline numbers with Clop excluded entirely keeps the workweek pattern intact: Mon-Fri share moves from 83.7% to 83.3%, and the peak hour shifts only from 16:00 UTC to 15:00 UTC. Across the full 24-month window, Clop accounts for 697 of 16,699 posts (4.2% of the corpus).
Related Ransomnews coverage
- Ransomtracker, our live index of leak-site ransomware operations and their published victims.
- 62% of database ransom wallets were never paid, the on-chain economics of the bottom of the funnel.
- Initial access brokers and the ransomware supply chain, where these operations get their entry points.
- Ransomware ditched encryption in May 2026, on the shift to pure data extortion.
- Best ransomware protection for business 2026, layered endpoint and platform defences ranked.
- Best ransomware-resistant backup, the last line when prevention fails.
- About the Ransomnews Research Team.
Keywords: ransomware leak site timing 2026, ransomware day of week, ransomware office hours, ransomware hourly distribution, October ransomware peak, ransomware ecosystem fragmentation, ransomware group lifespan, Qilin ransomware victims, Akira ransomware, RansomHub dormant, The Gentlemen ransomware, ransomware research 2026, leak site corpus analysis, Ransomnews Research Team.
This report is based on a 24-month corpus of ransomware leak-site posts compiled by Ransomnews Research. All timing is UTC. Group names follow operator self-identification on their leak infrastructure. Counts are conservative and reflect distinct posts, not the underlying victim count which can be lower (rescans) or higher (group-internal listings not yet public).
