Sophos Reports 79% of Ransomware Attacks Start With Compromised Identities
Sophos released its seventh annual State of Ransomware report, covering how ransomware affected organizations and how prepared they were to defend against it. The survey reported a shift in how ransomware incidents began, with compromised identities accounting for the largest share of initial access cases.
Based on interviews with 2,158 IT and cybersecurity decision-makers from organizations hit by ransomware in the prior 12 months across 17 countries, the report described a change in root causes. For the first time in four years, exploited vulnerabilities were no longer the most common root cause, while malicious email and phishing took the top positions.
The report stated that identity was the dominant initial access vector (IAV), with 79% of ransomware attacks starting with compromised identities. It also said 59% of ransom demands that started with an exploited vulnerability on the firewall involved $1M or more. Among ransomware victims, 56% encrypted data, including 16% where data was both encrypted and stolen.
Sophos also reported findings related to incident outcomes and credential defenses. It said 67% of victims confirmed their ransomware incident was also their most significant identity attack, and that multi-factor authentication (MFA) was deployed in some capacity for 97% of incidents where compromised credentials were the root cause. The UK showed the highest median ransom demand at $2.5 million.
“As we see ransomware criminals experiment with AI, it has the potential to accelerate their ability to steal valuable assets, hold them hostage and do it at a scale that exceeds their previous capability,” said Ross McKerchar, chief information security officer, Sophos. “This speed requires careful round-the-clock monitoring of the most exploited means of entry, which our data shows to be stolen and compromised valid accounts. However, the improvement of unguarded open-weight AI models will give attackers a growing advantage in finding and exploiting software vulnerabilities. Defenders cannot rely on patching alone to keep pace, so reducing external exposure and maintaining strong endpoint protection is essential.”
The survey was conducted by Vanson Bourne on behalf of Sophos in Q1 2026, and Sophos described additional reporting on recovery timing, negotiation outcomes, and average recovery costs, including $1.7 million per incident.
Provided by Globe Newswire on behalf of Sophos. Click to read original content.