Skip to content
Chimera readability score 71 out of 100, Expert reading level.

Identity-based attacks and abuse of compromised credentials have become the most common method cybercriminals use to hit networks with ransomware, analysis of real-world incidents has revealed.
According to a new report by Sophos, 79% of ransomware attacks can be traced back to an initial intrusion which exploited compromised identities and legitimate user logins.
In total, malicious emails accounted for the initial entry point for ransomware in 26% of analyzed incidents, up from 19% in 2025.
Phishing attacks, often used to steal legitimate login credentials, were the root cause of ransomware attacks in 24% of incidents, which is up from 18% during the previous year.
The third most common entry point for ransomware incidents was brute force attacks, a method which sees cybercriminals use automation and trial and error to breach commonly used or weak passwords. This accounted for 23% of ransomware attacks, a slight drop from 22% during the previous year.
Identity-based attacks have risen at the expense of vulnerabilities being exploited. Previously, the most common root cause of ransomware incidents, the percentage of attacks which started with attackers exploiting known security vulnerabilities dropped from 32% in 2025 to 18% in 2026.
"Over the last 12 months across the ransomware landscape we’ve seen attackers rely on ‘easier’ attacks, using compromised identities as the primary initial access vector. Not to mention the developments in social engineering, with AI routinely deployed to polish phishing emails and sophisticated ClickFix campaigns designed to trick even the most trained users into bypassing MFA. This years trend shows they are focused on targeting humans," Ross McKerchar, CISO at Sophos told Infosecurity.
Attackers are leveraging the exploited identities in several different ways, using them to access exposed applications or systems (38%), remote device logins (30%) and firewalls (21%) as well as exposed VPNs (8%) and in some cases, IoT devices as the initial point of entry (3%).
There is not one factor that left organizations exposed to attacks, but there are some common trends. According to the 2158 cybersecurity leaders surveyed by Sophos, 62% cited security gaps in the network, both known and unknown as a potential reason for cyber-attacks going undetected.
Over half (58%) said their organization was held back by resources around a lack of people or appropriate expertise to keep the organization safe from cyber threats.
Meanwhile, 57% of respondents said that they felt that their organization had not implemented the correct level of cybersecurity solutions or protections to keep the network or users safe.
Recovering From a Ransomware Attack
For those organizations which fell victim to a ransomware attack to the extent data was encrypted, 48% said that they paid the ransom to get data back. In addition to this, 66% said they used their own backups to restore some of the encrypted data, up from 54% in 2025.
When it came to ransom demands, the report said that the median ransom demand has fallen to $698,000 in this year’s report, down from $2m just two years ago. However, the large organizations continue to receive much higher ransom demand, amounting to millions of dollars.
While it might look as if ransom payments are getting lower, what is really happening is that cybercriminals are tailoring their ransom demands to the organizations they hit, demanding less from smaller organizations. That’s simply because if they went in with a ransom demand that was too high, the organization would refuse to pay.
However, if the ransom demand is more ‘reasonable’ it can push the victim to pay up for the decryption key, especially if they believe that not paying the ransom would cost them more in lost earnings in the near-term future.
With identity-based attacks the main means of cyber-criminals initiating ransomware attacks, the best way for cybersecurity leaders to ensure their organization does not become a victim is to ensure identity-based controls are robust enough to defend against malicious behavior.
“Organizations should prioritize identity threat detection and response (ITDR), enforce multi-factor authentication across all access points, and regularly audit both human and non-human identity credentials,” the Sophos report recommended.
“Organizations that treat identity as a foundational security layer, rather than an afterthought, are better positioned to prevent attacks from succeeding in the first place,” it concluded.

Facts Only

* 79% of ransomware attacks can be traced back to an initial intrusion exploiting compromised identities and legitimate user logins.
* Malicious emails accounted for the initial entry point for ransomware in 26% of analyzed incidents, up from 19% in 2025.
* Phishing attacks were the root cause of ransomware in 24% of incidents, up from 18% in the previous year.
* Brute force attacks accounted for 23% of ransomware attacks, a slight drop from 22% in the previous year.
* Attackers leveraged exploited identities to access exposed applications or systems 38% of the time.
* Remote device logins were used by attackers 30% of the time.
* Firewalls were accessed as an initial entry point 21% of the time.
* Exposed VPNs were accessed 8% of the time.
* IoT devices were used as the initial point of entry in some cases 3% of the time.
* 62% of surveyed cybersecurity leaders cited security gaps in the network as a reason for cyber-attacks going undetected.
* 58% of respondents felt their organization lacked sufficient resources (people or expertise) to maintain safety.
* 57% of respondents felt their organization had not implemented the correct level of cybersecurity solutions.
* 48% of organizations that suffered data encryption paid the ransom for recovery.
* 66% of organizations used their own backups to restore encrypted data, up from 54% in 2025.
* The median ransom demand fell to $698,000, down from $2 million two years prior.

Executive Summary

Ransomware attacks frequently exploit compromised identities and legitimate user logins as the primary initial access vector, with 79% of attacks tracing back to such intrusions. Malicious emails served as an entry point for 26% of incidents, an increase from the previous year, while phishing attacks were the root cause of ransomware in 24% of cases, up from 18%. Brute force attacks accounted for 23% of incidents. Identity-based attacks have risen over attacks exploiting known security vulnerabilities, which dropped from 32% to 18% between 2025 and 2026. Attackers leverage exploited identities to access applications (38%), remote logins (30%), and firewalls (21%). Organizations face significant internal challenges, with 62% citing security gaps and 57% feeling they lack adequate cybersecurity solutions or expertise. Following an attack, 48% of organizations paid the ransom for data recovery, while 66% used backups for restoration. Median ransom demands have decreased to $698,000 in the current year compared to $2 million two years prior, though large organizations continue to demand significantly higher amounts. The report recommends prioritizing identity threat detection and response, enforcing multi-factor authentication, and auditing all identity credentials as foundational security measures.

Full Take

The narrative emphasizes a systemic shift where identity compromise has become the dominant vector for ransomware deployment, suggesting that focusing solely on perimeter defenses or patching vulnerabilities is insufficient when human factors and access management are exploited first. The data reveals a tension between the technical reality of sophisticated attack methods (phishing, brute force) and the organizational realities of defense (resource scarcity, expertise gaps). The fact that attackers are increasingly targeting identities—using them to access systems rather than just exploiting known flaws—suggests an evolution in adversarial focus toward internal trust mechanisms. The drop in exploits of known vulnerabilities (from 32% to 18%) alongside the rise in identity exploitation suggests that defenses focused on vulnerability management alone may be becoming obsolete; the control plane, defined by identity, is now the primary attack surface. Furthermore, the dynamic concerning ransom payment indicates a behavioral response influenced by perceived loss versus immediate operational cost; the lowered median demand reflects an attempt to modulate extortion based on organizational size, creating differential leverage. The recommendation to treat identity as a foundational layer shifts the focus from reactive threat mitigation to proactive control architecture. What is the long-term consequence of basing security strategy around hardening access controls when the underlying human element and internal resource distribution remain the most significant friction points? What happens when identity controls are robust but organizational capacity remains critically low?

Sentinel — Human

Confidence

The text appears to be a well-structured synthesis of cybersecurity statistics, presented with journalistic clarity, suggesting human authorship based on external reporting.

Signals Detected
low severity: Sentence length variance shows some variation; flow is journalistic.
low severity: The structure flows logically from attack vectors to recovery strategies, typical of synthesized reports.
low severity: Consistent use of data points and direct attribution suggests structured reporting, likely based on a source report.
low severity: The specific statistics and the context provided by the named expert sound grounded in a verifiable context, minimizing fabrication risk.
Human Indicators
Specific attribution to Ross McKerchar and Sophos lends credibility.
Nuanced discussion on ransom psychology (tailoring demands) suggests deeper editorial synthesis beyond simple data recitation.
Compromised Logins Surge as the Most Common Entry Point for Ransomware Attacks — Arc Codex