Compromised Logins Overtake Vulnerabilities as Primary Ransomware Entry Point
Sophos research indicates that compromised credentials, including those obtained through phishing and brute-force attacks, have surpassed software vulnerability exploitation as the leading method for ransomware initial access.

Compromised credentials and identity-based attacks have ascended to become the most prevalent entry vector for ransomware operations, according to a recent analysis by Sophos. The report reveals that a staggering 79% of ransomware incidents analyzed in the past year originated from an initial intrusion that leveraged compromised identities and legitimate user logins.
This marks a significant shift from previous trends, where the exploitation of software vulnerabilities was the dominant initial access method. In the latest findings, malicious emails served as the entry point for ransomware in 26% of incidents, an increase from 19% in the prior year. Phishing attacks, a common tactic for stealing login credentials, were identified as the root cause in 24% of cases, up from 18% previously. Brute-force attacks, which involve automated attempts to guess weak or common passwords, accounted for 23% of ransomware attacks, a slight increase from 22%.
The decline in vulnerability exploitation is notable, with the percentage of attacks starting this way dropping from 32% in 2025 to 18% in 2026. This suggests a strategic pivot by threat actors towards exploiting human factors and existing access credentials, which often prove to be a more efficient and less technically challenging path to network compromise.
"Over the last 12 months across the ransomware landscape we’ve seen attackers rely on ‘easier’ attacks, using compromised identities as the primary initial access vector," stated Ross McKerchar, CISO at Sophos. He further noted the advancements in social engineering, including the routine deployment of AI to enhance phishing emails and the development of sophisticated campaigns designed to trick even well-trained users into bypassing multi-factor authentication (MFA).
Once access is gained via compromised credentials, attackers utilize them in various ways. The research indicates that 38% of the time, these credentials are used to access exposed applications or systems, followed by remote device logins (30%), and firewalls (21%). Exposed VPNs (8%) and, in some instances, IoT devices (3%) also served as initial points of entry.
The Sophos survey of 2158 cybersecurity leaders highlighted several contributing factors to organizations' vulnerability. 62% cited security gaps in the network, both known and unknown, as reasons for attacks going undetected. Over half (58%) felt their organization was hindered by a lack of personnel or expertise, while 57% believed they had not implemented adequate cybersecurity solutions.
For organizations that fall victim to data encryption, 48% reported paying the ransom, while 66% utilized their own backups for restoration, an increase from 54% in the previous year. The median ransom demand has decreased to $698,000, down from $2 million two years ago, though large organizations continue to face significantly higher demands. This reduction is attributed to attackers tailoring demands to the perceived financial capacity of their targets, aiming for a higher likelihood of payment.
Given the prominence of identity-based attacks, Sophos recommends prioritizing identity threat detection and response (ITDR), enforcing MFA across all access points, and regularly auditing both human and non-human identity credentials. Organizations that treat identity as a foundational security layer are better positioned to prevent attacks before they succeed.