16,699 ransomware leak posts over 2 years show 84% drop Monday–Friday, peak at European afternoon hours. October spikes yearly. Someone analyzed 16,699 ransomware leak-site posts across 200 groups over two years and asked the question most threat intelligence reports dance around: when does this actually happen? The answer is mundane and useful. Ransomware runs on a workweek, peaks during European office hours, spikes every October, and the operator population is growing fast. Nobody who defends networks for a living should still be planning around the hooded-hacker-at-3am image.The day-of-week breakdown is unambiguous. Monday absorbed 3,080 posts across the 24-month window. Tuesday came in at 3,073. Sunday posted 1,189. “The mythology around ransomware involves anonymous hooded figures hammering keys at 3am. The data says the opposite.” reads the report published by Ransomnews Research Team. “The operators who post leak-site listings are running this as a business with a working week. Sunday is the slowest day in the corpus, with only 1,189 posts across all 200 groups over 24 months, less than 40% of Monday’s volume.”The practical implication is direct: if your incident response team has a lighter shift, it shouldn’t be Saturday or Sunday. It should be Tuesday.The hourly distribution is even more concentrated. Fifty percent of all 16,699 posts landed in just eight UTC hours, the window from 15:00 to 22:59. That maps to 11:00 to 18:00 US Eastern and 16:00 to 23:00 Central European. “This is consistent with operators sitting in Eastern Europe, the Balkans, or Russia, publishing during their own working hours. It is not consistent with the Western popular image of nocturnal hackers.” continues the report.”The 04:00 UTC hour is the dataset’s quietest, with just 215 posts across two years, less than one post every four days globally.” Asia-Pacific defenders working European or Russian adversaries will consistently wake up Tuesday morning to find overnight produced a new batch of disclosures.Seasonality is also real. October spiked both years observed: 611 posts in October 2024, 1,029 in October 2025. The May through August window runs 30 to 40 percent softer than October across the board. The most active single day in the entire corpus was 24 February 2025, when 263 victim posts landed in 24 hours. Whether operator vacations drive the summer lull or victim IT teams being understaffed during holidays, or both, the pattern holds consistently enough to plan around.The narrative about law enforcement consolidating the ransomware landscape doesn’t hold up either. “Growing. This is the finding that contradicts the standard industry narrative about a few mega-operators dominating. In May 2024 we observed 38 distinct ransomware brands posting in a single month. In April 2026 we observed 67.” continues the report. “The active population has nearly doubled.”After RansomHub went dark in early 2025, newcomer brands filled the gap almost immediately. The Gentlemen started posting in September 2025 and accumulated 408 victims in 246 days. A takedown removes a brand, not the affiliates, not the tooling, not the operational knowledge. Those scatter into smaller operations and keep working.Qilin is now the highest-volume operation in the dataset with 1,690 victims over 731 days, averaging 2.3 leaks per day. Akira sits second at 1,124. Both have been continuously operational across the entire 24 months. RansomHub, the volume leader in 2024 with 801 victims in just 322 days, has been dormant since April 2025. SafePay, which launched in November 2024, has already accumulated 475 victims. The top-10 list changes faster than most threat intelligence programs track it.The mortality rate for operator brands is high. Of 178 groups with five or more posts, 87 are now dormant. That’s 49 percent effectively dead within two years. Ransomware operator brands live fast and collapse fast, which means a defence strategy built around tracking headline names will routinely miss where the actual volume is coming from. “Third, think in terms of the population, not the headliners. The takedown narrative around LockBit, AlphV, or RansomHub matters less than it used to because the operator population is growing fast. There are 200 brands in the 24-month corpus, with 67 active at peak.” concludes the report. “Any defence strategy that tracks a top-10 list will miss the long tail that is doing most of the post-2025 work.”Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, newsletter)