Stolen Credentials Now Drive the Majority of Ransomware Incidents
Cybercriminals have shifted tactics. A new analysis from Sophos shows that compromised logins are now the primary way ransomware gets inside a network. The report, based on real-world incidents, found that 79% of ransomware attacks trace back to an initial intrusion that exploited legitimate user credentials or abused identity systems.
That’s a major jump. It means the front door — a stolen password or a phished login — is now far more dangerous than a software bug.
“Over the last 12 months across the ransomware landscape we’ve seen attackers rely on ‘easier’ attacks, using compromised identities as the primary initial access vector,” said Ross McKerchar, CISO at Sophos, in a statement to Infosecurity. He pointed to advances in social engineering, including AI-polished phishing emails and sophisticated ClickFix campaigns designed to trick even trained users into bypassing multi-factor authentication (MFA).
How Attackers Get In: Phishing, Brute Force, and Old Vulnerabilities
The report breaks down the initial entry points. Malicious emails accounted for 26% of ransomware incidents, up from 19% in 2025. Phishing attacks — often used to steal credentials — were the root cause in 24% of cases, rising from 18% the previous year.
Brute force attacks came in third at 23%, a slight dip from 22% in 2025. That method relies on automation to guess weak or common passwords.
What’s falling out of favor? Exploiting known security vulnerabilities. That approach dropped from 32% in 2025 to just 18% in 2026. Attackers are choosing the path of least resistance — and that path leads straight to human error and weak identity controls.
Where Stolen Logins Are Used: VPNs, Firewalls, and IoT Devices
Once attackers have a valid login, they don’t stop at one system. The report details how exploited identities are used to move laterally. In 38% of cases, attackers accessed exposed applications or systems. Remote device logins accounted for 30%, firewalls for 21%, and exposed VPNs for 8%. Even IoT devices served as an initial point of entry in 3% of incidents.
That breadth of access points means a single compromised password can open multiple doors. No wonder identity-based attacks are surging.
Why Organizations Are Still Getting Caught Off Guard
Sophos surveyed 2,158 cybersecurity leaders. Their answers reveal persistent gaps. 62% cited security gaps in the network — both known and unknown — as a reason attacks went undetected. Over half (58%) said their organization was held back by a lack of people or expertise. And 57% felt they hadn’t implemented the right level of cybersecurity protections.
The message is clear: tools alone aren’t enough. Teams need the right skills and the right configurations to make identity-based defenses work.
Ransom Payments: Smaller Demands, But More Victims Paying
The report also tracks ransom demands. The median demand has fallen to $698,000, down from $2 million just two years ago. But that doesn’t mean attackers are getting softer. They’re tailoring demands to each victim. Smaller organizations get smaller asks. If the ransom seems “reasonable,” victims are more likely to pay — especially if they fear downtime will cost more than the ransom itself.
Among organizations that had data encrypted, 48% paid the ransom. Meanwhile, 66% used their own backups to restore some data, up from 54% in 2025. That’s progress, but it’s not a silver bullet.
How to Defend Against Identity-Based Ransomware Attacks
The Sophos report offers clear guidance: treat identity as a foundational security layer, not an afterthought. “Organizations should prioritize identity threat detection and response (ITDR), enforce multi-factor authentication across all access points, and regularly audit both human and non-human identity credentials,” the report recommends.
That means ransomware protection strategies must start with identity hygiene. Enforce MFA everywhere. Monitor for unusual login patterns. Audit credentials regularly. And don’t forget non-human identities — service accounts and API keys are often overlooked.
For readers looking to strengthen their defenses, a good place to start is understanding common phishing attack techniques and how to spot them. Training alone won’t stop every attack, but combined with strong identity controls, it raises the bar.
The bottom line? Attackers are going where the defenses are weakest — straight at the login screen. Organizations that lock that door first will have the best chance of keeping ransomware out.