79% of Ransomware Attacks Now Originate from Compromised Identities, Sophos Report Finds

Exploited vulnerabilities are no longer the primary root cause of ransomware attacks, as cybercriminals prioritize malicious emails and phishing campaigns

OXFORD, United Kingdom, July 15, 2026 (GLOBE NEWSWIRE) -- Sophos, a global cybersecurity leader, today released its seventh annual State of Ransomware report, a vendor-agnostic survey of IT and cybersecurity leaders across 17 countries identifying the impact of ransomware on businesses and how prepared organizations are to defend against them. This year's report reveals that identity is the dominant initial access vector (IAV), with four in five (79%) of ransomware attacks starting with compromised identities.

The prominence of identity attacks in ransomware indicates a shift in method, as attackers increasingly recognize identity as a key component in ransomware delivery. Additionally, for the first time in four years, exploited vulnerabilities are no longer the most common root cause, with malicious email (26%) and phishing (24%) taking the top spot.

However, exploited vulnerabilities remain a high value target: 59% of ransom demands that start with an exploited vulnerability on the firewall are for $1M or more compared to 48% of all attacks.

“As we see ransomware criminals experiment with AI, it has the potential to accelerate their ability to steal valuable assets, hold them hostage and do it at a scale that exceeds their previous capability,” said Ross McKerchar, chief information security officer, Sophos. “This speed requires careful round-the-clock monitoring of the most exploited means of entry, which our data shows to be stolen and compromised valid accounts. However, the improvement of unguarded open-weight AI models will give attackers a growing advantage in finding and exploiting software vulnerabilities. Defenders cannot rely on patching alone to keep pace, so reducing external exposure and maintaining strong endpoint protection is essential.”

The report also found that, out of the organizations hit by ransomware, 56% had their data encrypted, an increase which has reversed a two-year downward trend.

Additional findings highlight:

  • Two-thirds of ransomware victims (67%) confirmed their ransomware incident was also their most significant identity attack, establishing identity compromise as a primary ransomware delivery mechanism.
  • Over half of ransomware attacks (56%) succeeded in encrypting data, including 16% where data was both encrypted and stolen. That success rate is up from 50% in 2025, but below the 75% peak in 2023.
  • When data is encrypted, attackers have a 50-50 chance of receiving a ransom payment. 48% of organizations whose data was encrypted paid the ransom, bringing the four-year average payment rate to 50%.
  • Only 34% of small organizations (100–250 employees) stopped attacks before encryption or extortion. This is significantly behind 3,001–5,000 employee organizations that stopped attacks 46% of the time.
  • Multi-factor authentication (MFA) was deployed in some capacity for 97% of incidents where compromised credentials were the root cause of the ransomware attacks, making clear that MFA alone is not enough to stop ransomware, and that coverage gaps create exposure.
  • The UK saw the highest median ransom demand recorded for any country at $2.5 million.

While organizations face prevention challenges as threat actors evolve their techniques, significant progress has been made to improve their ability to recover. Increased investment in backup infrastructure has likely contributed to organizations recovering faster following a ransomware attack; over half (55%) of organizations manage to do so within one week, and 16% in less than a day.

Organizations are continuing to be effective at negotiating with ransomware operators. Among those that chose to pay, 51% successfully negotiated a settlement below the attackers' initial ransom demand. The median ransom demands made by attackers have dropped by 65% over the last two years, and the proportion of organizations paying the ransom to recover data has fallen to 48%, the second-lowest rate on record after 2023 (46%).

While improved strategies have impacted the adversary’s ability to extract financial gain through ransom demands, the average recovery costs following an attack has increased, now at $1.7 million per incident.

“Organizations have strengthened their ransomware resilience in the past year, and those investments are largely paying off,” said McKerchar at Sophos. “However, ransomware continues to cost organizations millions. As AI becomes more capable, attackers will be able to enumerate identity misconfigurations and weak points across organizations far more cheaply and quickly than before. Organizations can no longer rely on complexity or obscurity to hide gaps in their environment. The same technology also gives defenders an opportunity to find and fix those gaps faster, but only if prevention, detection, and response work together as part of a unified cybersecurity strategy.”

Sophos recommends the following best practices to help organizations build integrated, AI-driven defenses that bring together technology, people and processes:

  • Treat identity as a foundational security layer – Organizations should prioritize ITDR, enforce phishing-resistant multi-factor authentication across all access points, and regularly audit both human and non-human identities.
  • Invest in backup and recovery infrastructure – Backups should be tested regularly, stored offline or in immutable formats, and integrated into a documented incident response plan that can be executed under pressure.
  • Maintain exposure management programs – Organizations should maintain rigorous patching schedules, prioritize internet-facing assets, and consider how emerging AI-assisted tools can accelerate vulnerability identification and remediation.
  • Reduce exposure via the firewall and leverage firewall telemetry to detect attacks early. Ensure your firewall receives rapid - ideally automated - updates and minimize internet-facing services like admin access and user portals. Connect firewalls to XDR and MDR solutions to enable firewall telemetry to help detect ransomware attacks before payloads are deployed. 

This survey was conducted by Vanson Bourne on behalf of Sophos in Q1 2026. 2,158 IT and cybersecurity decision-makers from organizations that had been hit by ransomware in the previous 12 months were interviewed across 17 countries: USA, Brazil, Chile, Colombia, Mexico, UK, France, Germany, Italy, Spain, Switzerland, Australia, India, Japan, Singapore, South Africa, and UAE. Respondents came from organizations with 100 to 5,000 employees across 15 industry sectors.

Download the full State of Ransomware 2026 report on Sophos.com.

About Sophos
Sophos, a global cybersecurity leader, defends more than 625,000 organizations worldwide with Sophos Fusion, the industry's first and most complete AI-native cybersecurity defense system: a single, connected architecture where every control point operates as one. Powered by agentic AI and elite human expertise, Sophos detects, investigates, and neutralizes threats before they become business-disrupting events. Working alongside a global ecosystem of managed service providers, resellers, and technology partners, Sophos compounds intelligence from every threat encountered and every environment defended to make every customer's defense stronger than the last. Sophos is headquartered in Oxford, U.K. More information is available at www.sophos.com.


Media Contact:
Kelly Archer
Sr. Director, Global PR
press@sophos.com

Primary Logo

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.

Share this page:

Advanced Search Options

Search for:

Search scope:

Type:

Search in:

Date range:

The last

Sort by:

Sign up for:

Switzerland Weekly

The daily local news briefing you can trust. Every day. Subscribe now.

By signing up, you agree to our Terms & Conditions.