Identity Attacks Now Lead Ransomware Infiltration, Sophos Report Finds
Identity compromise, driven by phishing and compromised credentials, has surpassed vulnerability exploitation as the primary entry point for ransomware attacks, according to Sophos's latest research.

Ransomware attacks are increasingly originating from compromised identities rather than exploited software vulnerabilities, marking a significant shift in threat actor tactics, according to Sophos's "State of Ransomware 2026" report. The survey of 2,158 IT and cybersecurity leaders across 17 countries revealed that malicious email and phishing campaigns now account for half of all ransomware root causes, dethroning software vulnerabilities, which dropped to 18% from 32% in previous years.
Compromised credentials, a distinct but related identity-based attack vector, were cited as the third most common root cause, impacting 23% of victims. This trend underscores a broader move by attackers to leverage human elements and credential theft over the more technically challenging pursuit of software flaws. The report highlights that 67% of ransomware victims experienced their most significant identity attack within the same year as their ransomware incident, emphasizing the interconnectedness of these attack types.
Perhaps the most startling finding is the ineffectiveness of multi-factor authentication (MFA) in preventing these identity-driven attacks. The report indicates that MFA was deployed in 97% of instances where compromised credentials led to ransomware. Common MFA methods, including one-time passwords, push-based applications, and passkeys, were in place, with FIDO2 tokens being the fourth most common. This suggests that MFA, while a critical defense layer, is not a silver bullet.
Sophos suggests two primary reasons for MFA's failure in these scenarios. Firstly, MFA may not have been universally deployed across all critical systems, leaving gaps for attackers to exploit. Secondly, even with MFA in place, evolving bypass techniques continue to challenge its efficacy. This indicates that the focus must shift beyond simply implementing MFA to ensuring comprehensive deployment and staying ahead of new attack methodologies.
The implications for cybersecurity strategy are profound. While maintaining up-to-date patching remains essential, the primary battleground for ransomware defense is shifting towards identity protection. Organizations are advised to prioritize identity threat detection and response (ITDR) solutions, enforce MFA rigorously across all access points, and conduct regular audits of both human and non-human identity credentials.
Experts like Chet Wisniewski, global field chief information security officer at Sophos, advocate for an aggressive defense-in-depth strategy. This approach involves layering multiple security controls, such as network segmentation and zero-trust network access (ZTNA), to slow down attackers, generate alerts, and provide clues for threat hunting. The goal is to make any single bypass, whether of MFA or a technical control, insufficient to achieve the attacker's ultimate objective.
This evolving threat landscape demands a more holistic approach to security, moving beyond a singular focus on vulnerability management. Robust identity governance, continuous monitoring, and layered defenses are crucial to mitigating the growing threat of identity-based ransomware attacks. The report serves as a stark reminder that even well-established security measures require constant vigilance and adaptation against sophisticated adversaries.