Spam continues to plague businesses, with its volume increasing 400% in the past year alone, according to the 2017 IBM X-Force Threat Intelligence Index, and nearly 44% of all spam messages contain a malicious attachment.

Spam emails could also have contributed to the recent rise in ransomware, as 85% of malicious spam attachments deliver ransomware, IBM found.

In a report released Monday, IBM researchers dug deeper into six months of data to determine when, where, and how spammers plan their attacks. Here are the top takeaways they found:

  • Spammers are most active on Tuesdays, followed by Wednesdays and Thursdays. This is likely because Tuesdays are a key day for email marketing, with 20% more opens than average, according to HubSpot. They are the least active on Mondays and Fridays.
  • More than 83% of all spam is sent during weekdays, with significant drops on weekends.
  • Spam messages hike around 1 am ET, and drop around 4 pm ET, because spammers start off with targets in Europe before moving to those in the US.
  • In terms of location, the top originator of spam in the past six months was India, followed by South America and China.

SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF)

The weekday activity makes sense, since spammers that target organizations with trojans such as Dridex, TrickBot and QakBot–cybergang-owned malware designed to rob business bank accounts–make sure to spam employees during the times in which potential new victims are most likely to open incoming email, IBM noted.

But some botnets don’t sleep: For example, the Necurs botnet is one of the biggest in the world, and spreads spam for several notorious cybergangs. Necurs’ zombie members can be programmed to send spam at any time of day, leading to greater infection rates. This botnet’s delivery tactics have also changed frequently in the past few months, moving from lacing Microsoft Office documents with malicious exploits, to poisoned PDF files embedded with a laced Office file, to sending malware in .WSF files, according to the report. Most recently, the cybergang has been delivering fake DocuSign attachments to look more legitimate and deliver the malicious payload.

Spammers have grown increasingly sophisticated, and studying trends around spamming is “an essential part of threat intelligence and situational awareness for any organization,” according to the report.

“Spammers and spam botnets launch millions of malicious messages every day, hoping to get through to potential victims, infect new endpoints, invade another organization and keep rolling the cash laundromat that drives cybercrime,” IBM researchers wrote in the report. “By learning their methods and tracking their activity, defenders can better manage risk and keep their organizations safer from spam.”

Want to use this data in your next business presentation? Feel free to copy and paste these top takeaways into your next slideshow.

  • The volume of spam messages increased 400% in the past year. -IBM, 2017
  • Spammers are most active on Tuesdays, and least active on Mondays and Fridays. -IBM, 2017
  • India, South America, and China are the top originators of spam. -IBM, 2017