In most cases of human-operated ransomware attacks against enterprises, the hackers don’t trigger the malware immediately: according to FireEye researchers, in most (75%) of cases, at least three days passed between the first evidence of malicious activity and ransomware deployment.

What are the attackers waiting for? One of the reasons for the delay is the wish to spread the ransomware to many systems before running it. But they also like to wait for the weekend or at least the night, when there’s few or no employees – IT, IT security or others – to notice something is wrong and to react promptly to minimize the damage.