Skip to main content
Emerging ThreatsMalware & Ransomware

Ransomware Attacks Surge Through Compromised Logins

Office worker sits at desk with laptop, showing subtle concern on face.

79% — that is the share of ransomware incidents Sophos traces to an initial intrusion using compromised identities and legitimate user logins, according to the company's latest analysis.

Compromised identities: 79% of ransomware attacks

Sophos' report finds identity-based attacks have overtaken software flaws as the principal route into networks. Identity and legitimate-login exploitation now account for 79% of ransomware initial access vectors. By contrast, the percentage of attacks beginning with exploitation of known security vulnerabilities dropped from 32% in 2025 to 18% in 2026.

The report breaks down other entry methods as well: malicious email was the initial entry point in 26% of analyzed incidents (up from 19% in 2025), phishing was the root cause in 24% (up from 18%), and brute-force attacks accounted for 23% of incidents — "a slight drop from 22% during the previous year," the report states.

Ross McKerchar, CISO at Sophos, highlighted the shift in tactics: "Over the last 12 months across the ransomware landscape we’ve seen attackers rely on ‘easier’ attacks, using compromised identities as the primary initial access vector. Not to mention the developments in social engineering, with AI routinely deployed to polish phishing emails and sophisticated ClickFix campaigns designed to trick even the most trained users into bypassing MFA. This years trend shows they are focused on targeting humans."

How attackers use exploited logins: applications, remote devices, firewalls, VPNs, IoT

Once credentials are compromised, attackers do not follow a single playbook. Sophos reports that exploited identities were used to reach exposed applications or systems in 38% of cases, to log in to remote devices in 30%, and to get through firewalls in 21% of incidents. Exposed VPNs were the initial access point in 8% of cases, and IoT devices in 3%.

Those distributions show that credential theft or misuse can hand adversaries both broad and targeted footholds — from web applications to perimeter devices — enabling later stages of ransomware operations.

Organizational gaps cited by 2,158 cybersecurity leaders

The report surveyed 2,158 cybersecurity leaders to identify internal conditions that leave organizations vulnerable. Sixty-two percent cited security gaps in the network, both known and unknown, as a potential reason attacks went undetected. Fifty-eight percent said a lack of people or appropriate expertise held their organization back, and 57% said their organization had not implemented the correct level of cybersecurity solutions or protections to keep networks or users safe.

Those responses underline a common theme in the report: the human and resourcing constraints that make identity-based tactics successful.

Recovering from attacks: payments, backups, and shifting ransom demands

Among organizations whose data was encrypted, 48% said they paid the ransom to recover data. At the same time, 66% used their own backups to restore some encrypted data, up from 54% in 2025.

The report also documents a change in ransom economics. The median ransom demand has fallen to $698,000 in this year’s report, down from $2m just two years ago, although large organizations "continue to receive much higher ransom demand, amounting to millions of dollars." The Sophos analysis explains the change in posture among criminals: "While it might look as if ransom payments are getting lower, what is really happening is that cybercriminals are tailoring their ransom demands to the organizations they hit, demanding less from smaller organizations. That’s simply because if they went in with a ransom demand that was too high, the organization would refuse to pay."

What this means for technologists, procurement leaders, and end users

  • Technologists and security teams: The report urges prioritizing identity threat detection and response (ITDR), enforcing multi-factor authentication across all access points, and regularly auditing both human and non-human identity credentials — steps explicitly recommended by Sophos.
  • Procurement and enterprise leaders: Because attackers tailor ransom demands and smaller organizations can be pushed into paying, the findings suggest investing in resilient backup systems and in the people and expertise respondents said they lack, to reduce both the chance and the impact of a breach.
  • End users and administrators: McKerchar’s warning about AI-polished phishing and "sophisticated ClickFix campaigns" signals that social-engineering risks remain high and that even trained users can be persuaded to bypass protections such as MFA.

Sophos concludes with a succinct prescription: "Organizations that treat identity as a foundational security layer, rather than an afterthought, are better positioned to prevent attacks from succeeding in the first place." The data in this report make clear why identity controls are now the frontline: when credentials fail, a large majority of ransomware intrusions follow.

Original story