BusinessCybersecurityNewswireTechnology

Ransomware Attacks Rise as Compromised Logins Become Top Entry Point

Originally published on: July 16, 2026
▼ Summary

– 79% of ransomware attacks in 2026 originated from identity-based attacks and compromised credentials, making it the most common initial intrusion method.
– Malicious emails caused 26% of ransomware incidents, and phishing attacks accounted for 24%, both up from the previous year.
– Brute force attacks were the third most common entry point at 23%, while exploited vulnerabilities dropped from 32% to 18%.
– 62% of surveyed cybersecurity leaders cited security gaps, 58% lacked sufficient expertise, and 57% said they had inadequate cybersecurity protections.
– The median ransom demand fell to $698,000, with attackers tailoring demands to victim size, while 48% of victims paid the ransom and 66% used backups to restore data.

Identity-based attacks and the abuse of compromised credentials have overtaken all other methods as the primary vector for ransomware intrusions, according to fresh analysis of real-world incidents. A new report from Sophos reveals that 79% of ransomware attacks now trace back to initial breaches that exploited compromised identities and legitimate user logins.

Malicious emails served as the entry point for ransomware in 26% of analyzed incidents, climbing from 19% in 2025. Phishing attacks, which are often designed to steal valid login credentials, were the root cause in 24% of cases, up from 18% the prior year. The third most common entry method was brute force attacks, where cybercriminals use automation to guess weak or commonly used passwords. This accounted for 23% of ransomware incidents, a slight increase from 22% in 2025.

The rise in identity-based attacks has come at the expense of vulnerability exploitation. Previously the most common cause of ransomware, attacks that began by exploiting known security vulnerabilities dropped sharply from 32% in 2025 to 18% in 2026.

“Over the last 12 months across the ransomware landscape we’ve seen attackers rely on ‘easier’ attacks, using compromised identities as the primary initial access vector,” said Ross McKerchar, CISO at Sophos. “Not to mention the developments in social engineering, with AI routinely deployed to polish phishing emails and sophisticated ClickFix campaigns designed to trick even the most trained users into bypassing MFA. This year’s trend shows they are focused on targeting humans.”

Attackers use these stolen identities in multiple ways. The most common targets include exposed applications or systems (38%), followed by remote device logins (30%), firewalls (21%), exposed VPNs (8%), and in some cases, IoT devices (3%) as the initial point of entry.

No single factor leaves organizations exposed, but common patterns emerge. Among the 2,158 cybersecurity leaders surveyed by Sophos, 62% cited security gaps in the network, both known and unknown, as a potential reason for attacks going undetected. More than half (58%) said their organization was held back by a lack of people or appropriate expertise to stay safe from cyber threats. Meanwhile, 57% of respondents felt their organization had not implemented the correct level of cybersecurity solutions or protections.

For organizations that suffered data encryption from a ransomware attack, 48% paid the ransom to recover their data. Additionally, 66% used their own backups to restore some encrypted data, up from 54% in 2025.

The median ransom demand has dropped to $698,000 in this year’s report, down from $2 million just two years ago. However, large organizations continue to face demands in the millions. The decline in median demand reflects a strategic shift: cybercriminals are tailoring ransom amounts to the victim’s ability to pay. A demand that is too high might prompt refusal, while a more “reasonable” figure increases the likelihood of payment, especially if the victim calculates that lost earnings from downtime would exceed the ransom.

Given that identity-based attacks now dominate ransomware strategies, cybersecurity leaders must strengthen identity controls to defend against malicious behavior. The Sophos report recommends that organizations prioritize identity threat detection and response (ITDR), enforce multi-factor authentication across all access points, and regularly audit both human and non-human identity credentials. “Organizations that treat identity as a foundational security layer, rather than an afterthought, are better positioned to prevent attacks from succeeding in the first place,” the report concluded.

(Source: Infosecurity Magazine)

Topics

identity-based attacks 95% ransomware incidents 92% phishing attacks 88% compromised credentials 87% identity threat detection 86% social engineering 85% ransom payments 83% vulnerability exploitation 82% ransom demand trends 81% brute force attacks 80%