Identity-based attacks and abuse of compromised credentials have become the most common method cybercriminals use to hit networks with ransomware, analysis of real-world incidents has revealed.
According to a new report by Sophos, 79% of ransomware attacks can be traced back to an initial intrusion which exploited compromised identities and legitimate user logins.
In total, malicious emails accounted for the initial entry point for ransomware in 26% of analyzed incidents, up from 19% in 2025.
Phishing attacks, often used to steal legitimate login credentials, were the root cause of ransomware attacks in 24% of incidents, which is up from 18% during the previous year.
The third most common entry point for ransomware incidents was brute force attacks, a method which sees cybercriminals use automation and trial and error to breach commonly used or weak passwords. This accounted for 23% of ransomware attacks, a slight drop from 22% during the previous year.
Identity-based attacks have risen at the expense of vulnerabilities being exploited. Previously, the most common root cause of ransomware incidents, the percentage of attacks which started with attackers exploiting known security vulnerabilities dropped from 32% in 2025 to 18% in 2026.
"Over the last 12 months across the ransomware landscape we’ve seen attackers rely on ‘easier’ attacks, using compromised identities as the primary initial access vector. Not to mention the developments in social engineering, with AI routinely deployed to polish phishing emails and sophisticated ClickFix campaigns designed to trick even the most trained users into bypassing MFA. This years trend shows they are focused on targeting humans," Ross McKerchar, CISO at Sophos told Infosecurity.
Attackers are leveraging the exploited identities in several different ways, using them to access exposed applications or systems (38%), remote device logins (30%) and firewalls (21%) as well as exposed VPNs (8%) and in some cases, IoT devices as the initial point of entry (3%).
There is not one factor that left organizations exposed to attacks, but there are some common trends. According to the 2158 cybersecurity leaders surveyed by Sophos, 62% cited security gaps in the network, both known and unknown as a potential reason for cyber-attacks going undetected.
Over half (58%) said their organization was held back by resources around a lack of people or appropriate expertise to keep the organization safe from cyber threats.
Meanwhile, 57% of respondents said that they felt that their organization had not implemented the correct level of cybersecurity solutions or protections to keep the network or users safe.
Recovering From a Ransomware Attack
For those organizations which fell victim to a ransomware attack to the extent data was encrypted, 48% said that they paid the ransom to get data back. In addition to this, 66% said they used their own backups to restore some of the encrypted data, up from 54% in 2025.
When it came to ransom demands, the report said that the median ransom demand has fallen to $698,000 in this year’s report, down from $2m just two years ago. However, the large organizations continue to receive much higher ransom demand, amounting to millions of dollars.
While it might look as if ransom payments are getting lower, what is really happening is that cybercriminals are tailoring their ransom demands to the organizations they hit, demanding less from smaller organizations. That’s simply because if they went in with a ransom demand that was too high, the organization would refuse to pay.
However, if the ransom demand is more ‘reasonable’ it can push the victim to pay up for the decryption key, especially if they believe that not paying the ransom would cost them more in lost earnings in the near-term future.
With identity-based attacks the main means of cyber-criminals initiating ransomware attacks, the best way for cybersecurity leaders to ensure their organization does not become a victim is to ensure identity-based controls are robust enough to defend against malicious behavior.
“Organizations should prioritize identity threat detection and response (ITDR), enforce multi-factor authentication across all access points, and regularly audit both human and non-human identity credentials,” the Sophos report recommended.
“Organizations that treat identity as a foundational security layer, rather than an afterthought, are better positioned to prevent attacks from succeeding in the first place,” it concluded.
Facts Only
* 79% of ransomware attacks can be traced back to an initial intrusion exploiting compromised identities and legitimate user logins.
* Malicious emails accounted for the initial entry point for ransomware in 26% of analyzed incidents, up from 19% in 2025.
* Phishing attacks were the root cause of ransomware in 24% of incidents, up from 18% in the previous year.
* Brute force attacks accounted for 23% of ransomware attacks, a slight drop from 22% in the previous year.
* Attackers leveraged exploited identities to access exposed applications or systems 38% of the time.
* Remote device logins were used by attackers 30% of the time.
* Firewalls were accessed as an initial entry point 21% of the time.
* Exposed VPNs were accessed 8% of the time.
* IoT devices were used as the initial point of entry in some cases 3% of the time.
* 62% of surveyed cybersecurity leaders cited security gaps in the network as a reason for cyber-attacks going undetected.
* 58% of respondents felt their organization lacked sufficient resources (people or expertise) to maintain safety.
* 57% of respondents felt their organization had not implemented the correct level of cybersecurity solutions.
* 48% of organizations that suffered data encryption paid the ransom for recovery.
* 66% of organizations used their own backups to restore encrypted data, up from 54% in 2025.
* The median ransom demand fell to $698,000, down from $2 million two years prior.
Executive Summary
Full Take
Sentinel — Human
The text appears to be a well-structured synthesis of cybersecurity statistics, presented with journalistic clarity, suggesting human authorship based on external reporting.
