According to a report just published by cybersecurity company FireEye, 76 percent of all ransomware infections occur outside working hours, with 49 percent taking place during nighttime over the weekdays and 27 percent taking place over the weekend. The reason why attackers choose to trigger the ransomware encryption process during the night or weekend is because most companies don't have IT staff working those shifts, and if they do, they are most likely short-handed. If a ransomware attack does trigger a security alert within the company, then there would be nobody to react right away and shut down a network, or the short-handed staff would have a hard time figuring what's actually happening. FireEye says that most of these types of sneaky nighttime/weekend ransomware attacks are usually the result of a prolonged network compromise and intrusion. Today, most ransomware gangs are in full control of their ransomware strains and they very carefully decide when it's the most suitable time to lock down a network, rather than making the move part of an automatic process. FireEye says the time from initial compromise to the actual ransomware attack, or "dwell time," is three days on average. It urges companies to invest in deploying detection rules for spotting attackers during this pre-infection period. "If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection," FireEye said. Read the report at FireEye.