A new report from cybersecurity firm Sophos indicates a fundamental shift in the tactics of ransomware operators. The "State of Ransomware 2026" report finds that compromised identities are now the starting point for 79% of all ransomware attacks. For the first time in four years, the primary root cause is not exploited vulnerabilities but rather malicious emails (26%) and phishing (24%), which together account for half of all initial access events. This trend suggests that while patching is still vital, defensive strategies must evolve to prioritize identity security, email protection, and user awareness to counter the most common attack vectors used by modern ransomware groups.
The report, based on a survey of 2,100 IT and security leaders whose organizations were hit by ransomware, reveals a clear strategic pivot by threat actors. Exploited vulnerabilities, which were the root cause in 32% of attacks last year, have dropped to just 18%. This decline is offset by the sharp rise in identity-based attacks. Two-thirds of ransomware victims stated that the ransomware incident was also their most significant identity-based attack of the year, underscoring the convergence of these two threat types.
This shift highlights that attackers are finding it more efficient to steal or phish for credentials than to develop or acquire exploits for software flaws. The prevalence of weak passwords, lack of Multi-Factor Authentication (MFA), and successful phishing campaigns provide a lower barrier to entry for attackers.
While the report focuses on trends rather than a single actor, the described attack path aligns with common Ransomware-as-a-Service (RaaS) models. The typical TTPs involved are:
T1566 - Phishing, where users are tricked into revealing credentials or executing a malicious attachment.T1078 - Valid Accounts to authenticate to systems and services, appearing as legitimate users.T1486 - Data Encrypted for Impact and often T1048 - Exfiltration Over Alternative Protocol as part of a double-extortion strategy.Despite a drop in median ransom demands ($698,000) and payments ($769,000), the overall financial impact on victims has increased. The average total cost to recover from a ransomware attack has now reached $1.7 million, factoring in downtime, staff hours, device costs, and network improvements.
The report also notes a concerning trend: data was successfully encrypted in 56% of attacks, reversing a two-year decline and indicating that attackers are becoming more effective at bypassing defenses once inside a network. There is also a clear disparity based on organization size, with smaller businesses (100-250 employees) being less successful (34% stopped an attack pre-encryption) than larger enterprises (46% success rate).
No specific Indicators of Compromise (IOCs) were provided in the source articles, as this is a trend report rather than an analysis of a specific campaign.
Security teams may want to hunt for the following general patterns related to identity-driven ransomware attacks:
-EncodedCommandImplementing MFA is the most effective defense against the use of stolen credentials, which is the primary vector identified in the report.
Mapped D3FEND Techniques:
Training users to identify and report phishing attempts directly counters the top initial access methods of malicious email and phishing.
Using advanced email filtering, URL rewriting, and attachment sandboxing technologies can prevent malicious content from reaching users.
Enforcing the principle of least privilege limits the damage an attacker can do with a compromised account.
Given that 79% of ransomware attacks now stem from compromised identities, implementing phishing-resistant Multi-Factor Authentication (MFA) is the single most impactful countermeasure. Organizations must prioritize the rollout of MFA across all critical access points, including VPNs, cloud services (O365/Google Workspace), and privileged accounts. Move beyond SMS-based MFA, which is susceptible to SIM-swapping, and adopt stronger methods like FIDO2/WebAuthn security keys or authenticator apps with number matching and push notifications. This technique directly hardens the initial access phase, making a stolen password insufficient for an attacker to gain entry, thereby disrupting the most common ransomware attack chain at its source.
To detect the abuse of legitimate credentials, organizations need to go beyond simple logon alerts. Implementing User Behavior Analysis (UBA) or Identity Threat Detection and Response (ITDR) tools is essential. These systems establish a baseline of normal activity for each user and alert on deviations. In the context of the Sophos report, this means detecting and alerting on: 'impossible travel' logins, access from unfamiliar devices or networks, unusual data access patterns, and rapid lateral movement using a single account. By focusing on post-authentication behavior, UBA can catch an attacker who has already bypassed initial defenses with a stolen credential, providing a critical detection layer.
Since malicious email is the top initial vector, strengthening email security is paramount. Organizations should deploy advanced email security gateways that perform deep analysis of attachments and links. This includes sandboxing, where attachments are opened in a secure, isolated environment to observe their behavior before they are delivered to the user. For links, URL rewriting and time-of-click analysis can protect users from phishing sites that may appear benign at the time of initial scan. This proactive filtering acts as a crucial preventative control, blocking the initial payload or phishing attempt before it can lead to a credential compromise or malware infection.
Sophos releases its 'State of Ransomware 2026' report.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.