Ransomware’s Pivot to Identity Theft
New findings reveal that compromised credentials are now the primary catalyst for ransomware breaches, eclipsing software flaws.
The landscape of digital extortion is undergoing a fundamental shift, moving away from the exploitation of software vulnerabilities toward the manipulation of human access. Rather than hunting for obscure code bugs, attackers are increasingly choosing the path of least resistance: logging in as authorized users.
The Dominance of Stolen Credentials
Recent analysis by Sophos indicates that 79% of ransomware incidents now stem from compromised identities and legitimate user credentials. This marks a significant departure from previous years, where the exploitation of known security vulnerabilities served as the primary entry point. As of 2026, the reliance on such vulnerabilities has plummeted to 18%, down from 32% in 2025.
The mechanics of these intrusions vary, with attackers deploying stolen credentials to infiltrate specific segments of the enterprise infrastructure. These compromised identities are most frequently utilized to gain access to exposed systems and applications, as well as remote device logins, firewalls, and, to a lesser extent, VPNs and IoT devices.
Human-Centric Attack Vectors
Social engineering remains a critical component in harvesting the credentials necessary for these incursions. Malicious email campaigns have risen to account for 26% of initial entries, while phishing operations now drive 24% of attacks. Brute force attempts remain a steady, albeit slightly declining, fixture, responsible for 23% of incidents.
Over the last 12 months across the ransomware landscape we’ve seen attackers rely on ‘easier’ attacks, using compromised identities as the primary initial access vector. Not to mention the developments in social engineering, with AI routinely deployed to polish phishing emails and sophisticated ClickFix campaigns designed to trick even the most trained users into bypassing MFA. This years trend shows they are focused on targeting humans
— Ross McKerchar, CISO at Sophos
Data Points on Modern Infiltration
- 79% of ransomware attacks involve compromised identities.
- 38% of exploited identities were used to access exposed applications or systems.
- 30% of exploited identities targeted remote device logins.
- 21% of exploited identities targeted firewalls.
- 8% of exploited identities targeted exposed VPNs.
- 3% of exploited identities targeted IoT devices.
- $698,000 is the current median ransom demand.
- 2158 cybersecurity leaders were surveyed for the report.
The Reality of Recovery and Defense
Even when preventative measures fail, the aftermath of an attack reveals ongoing struggles with resource allocation and recovery strategy. Among the leaders surveyed, 62% identified gaps in network security as a reason for undetected incursions, while 58% noted a lack of qualified staff or expertise. Despite the shift toward lower median ransom demands—down from $2m just two years ago—the decision to pay remains a common, albeit contentious, outcome, with 48% of victimized organizations opting to pay the ransom.
For organizations, the implication is clear: identity can no longer be treated as a peripheral security concern. The rise of sophisticated credential theft necessitates a transition toward identity-centric defensive frameworks. By prioritizing identity threat detection and response and mandating multi-factor authentication, firms may better secure their perimeter against the human-centric tactics currently dominating the threat landscape.