Sophos Report: Identity Attacks Overtake Exploits in Ransomware

Identity Attacks Now Top Ransomware Vector, Eclipsing Exploits

HIGH
July 16, 2026
4m read
RansomwareThreat IntelligencePhishing

Related Entities

Organizations

Full Report

Executive Summary

A new report from cybersecurity firm Sophos indicates a fundamental shift in the tactics of ransomware operators. The "State of Ransomware 2026" report finds that compromised identities are now the starting point for 79% of all ransomware attacks. For the first time in four years, the primary root cause is not exploited vulnerabilities but rather malicious emails (26%) and phishing (24%), which together account for half of all initial access events. This trend suggests that while patching is still vital, defensive strategies must evolve to prioritize identity security, email protection, and user awareness to counter the most common attack vectors used by modern ransomware groups.


Threat Overview

The report, based on a survey of 2,100 IT and security leaders whose organizations were hit by ransomware, reveals a clear strategic pivot by threat actors. Exploited vulnerabilities, which were the root cause in 32% of attacks last year, have dropped to just 18%. This decline is offset by the sharp rise in identity-based attacks. Two-thirds of ransomware victims stated that the ransomware incident was also their most significant identity-based attack of the year, underscoring the convergence of these two threat types.

This shift highlights that attackers are finding it more efficient to steal or phish for credentials than to develop or acquire exploits for software flaws. The prevalence of weak passwords, lack of Multi-Factor Authentication (MFA), and successful phishing campaigns provide a lower barrier to entry for attackers.

Technical Analysis

While the report focuses on trends rather than a single actor, the described attack path aligns with common Ransomware-as-a-Service (RaaS) models. The typical TTPs involved are:

  1. Initial Access: Primarily achieved through T1566 - Phishing, where users are tricked into revealing credentials or executing a malicious attachment.
  2. Credential Access: Once a foothold is gained, attackers use stolen credentials via T1078 - Valid Accounts to authenticate to systems and services, appearing as legitimate users.
  3. Discovery & Lateral Movement: Attackers explore the network, escalate privileges, and move to additional systems, often using legitimate tools like RDP or PowerShell.
  4. Impact: The final stage involves T1486 - Data Encrypted for Impact and often T1048 - Exfiltration Over Alternative Protocol as part of a double-extortion strategy.

Impact Assessment

Despite a drop in median ransom demands ($698,000) and payments ($769,000), the overall financial impact on victims has increased. The average total cost to recover from a ransomware attack has now reached $1.7 million, factoring in downtime, staff hours, device costs, and network improvements.

The report also notes a concerning trend: data was successfully encrypted in 56% of attacks, reversing a two-year decline and indicating that attackers are becoming more effective at bypassing defenses once inside a network. There is also a clear disparity based on organization size, with smaller businesses (100-250 employees) being less successful (34% stopped an attack pre-encryption) than larger enterprises (46% success rate).

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) were provided in the source articles, as this is a trend report rather than an analysis of a specific campaign.


Cyber Observables — Hunting Hints

Security teams may want to hunt for the following general patterns related to identity-driven ransomware attacks:

Type
event_id
Value
4768, 4769
Description
Kerberos authentication events. A high volume of TGS requests (Kerberoasting) can indicate attempts to crack service account credentials.
Context
Windows Security Event Log
Type
command_line_pattern
Value
-EncodedCommand
Description
PowerShell commands with encoded payloads are a common technique for obfuscating malicious activity after initial access.
Context
EDR, PowerShell Script Block Logging (Event ID 4104)
Type
network_traffic_pattern
Value
Impossible travel alerts
Description
A user account logging in from two geographically distant locations in a short time frame is a strong indicator of a compromised identity.
Context
Cloud Security Portal, SIEM
Type
log_source
Value
VPN Logs
Description
Monitor for successful VPN connections from unusual countries or at odd hours, followed by RDP or SMB activity.
Context
VPN Concentrator Logs, Firewall Logs

Detection & Response

  1. Identity Threat Detection and Response (ITDR): Deploy solutions that monitor for anomalous authentication behavior. This includes impossible travel, MFA fatigue attacks, and logon attempts with known breached credentials. This aligns with D3FEND User Behavior Analysis.
  2. Enhanced Email Security: Use advanced email gateways that can detect and block sophisticated phishing links and malicious attachments. Sandboxing of attachments and URL rewriting are key capabilities.
  3. Monitor for Credential Abuse: Actively hunt for techniques like Kerberoasting and Pass-the-Hash. SIEM rules that correlate failed logons with subsequent successful ones, or detect the use of a single account across multiple systems in a short period, can be effective.

Mitigation

  1. Mandate MFA: The single most effective control against identity-based attacks is phishing-resistant MFA. Prioritize its rollout for all users, especially for remote access (VPN), email, and privileged accounts.
  2. User Training: Conduct regular, engaging security awareness training that focuses on identifying modern phishing tactics. Use phishing simulations to test and reinforce learning.
  3. Principle of Least Privilege: Ensure user accounts only have the permissions necessary to perform their roles. This limits an attacker's ability to move laterally and access sensitive data even if an account is compromised.
  4. Email Filtering and Sandboxing: Implement advanced email security solutions to prevent malicious emails from reaching user inboxes. This is a key preventative control mentioned in the report.

Timeline of Events

1
July 15, 2026
Sophos releases its 'State of Ransomware 2026' report.
2
July 16, 2026
This article was published

MITRE ATT&CK Mitigations

Implementing MFA is the most effective defense against the use of stolen credentials, which is the primary vector identified in the report.

Mapped D3FEND Techniques:

Training users to identify and report phishing attempts directly counters the top initial access methods of malicious email and phishing.

Using advanced email filtering, URL rewriting, and attachment sandboxing technologies can prevent malicious content from reaching users.

Enforcing the principle of least privilege limits the damage an attacker can do with a compromised account.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

Given that 79% of ransomware attacks now stem from compromised identities, implementing phishing-resistant Multi-Factor Authentication (MFA) is the single most impactful countermeasure. Organizations must prioritize the rollout of MFA across all critical access points, including VPNs, cloud services (O365/Google Workspace), and privileged accounts. Move beyond SMS-based MFA, which is susceptible to SIM-swapping, and adopt stronger methods like FIDO2/WebAuthn security keys or authenticator apps with number matching and push notifications. This technique directly hardens the initial access phase, making a stolen password insufficient for an attacker to gain entry, thereby disrupting the most common ransomware attack chain at its source.

To detect the abuse of legitimate credentials, organizations need to go beyond simple logon alerts. Implementing User Behavior Analysis (UBA) or Identity Threat Detection and Response (ITDR) tools is essential. These systems establish a baseline of normal activity for each user and alert on deviations. In the context of the Sophos report, this means detecting and alerting on: 'impossible travel' logins, access from unfamiliar devices or networks, unusual data access patterns, and rapid lateral movement using a single account. By focusing on post-authentication behavior, UBA can catch an attacker who has already bypassed initial defenses with a stolen credential, providing a critical detection layer.

Since malicious email is the top initial vector, strengthening email security is paramount. Organizations should deploy advanced email security gateways that perform deep analysis of attachments and links. This includes sandboxing, where attachments are opened in a secure, isolated environment to observe their behavior before they are delivered to the user. For links, URL rewriting and time-of-click analysis can protect users from phishing sites that may appear benign at the time of initial scan. This proactive filtering acts as a crucial preventative control, blocking the initial payload or phishing attempt before it can lead to a credential compromise or malware infection.

Timeline of Events

1
July 15, 2026

Sophos releases its 'State of Ransomware 2026' report.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

RansomwareSophosThreat IntelligencePhishingIdentity and Access ManagementCyberattack

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.