The Shift Has Happened
For years, security teams were told to patch fast — because unpatched software vulnerabilities were the primary door ransomware operators walked through. That calculus has fundamentally changed. According to Sophos' Active Adversary Report 2026 and State of Ransomware 2026, both released this month, compromised identities now drive 79% of all ransomware attacks, while software exploits have dropped to just 18% of initial access vectors — down 14 percentage points year-over-year.
The data comes from 661 incident response and managed detection and response (MDR) cases across 70 countries and 34 industries, covering activity from November 2024 through October 2025.
Identity-First Attack Breakdown
When looking at how ransomware operators initially gained access:
- Malicious email: 26%
- Phishing: 24%
- Compromised credentials (no additional vector known): 23%
- Exploited vulnerabilities: 18%
- Brute-force: 6%
Combined, email and phishing alone account for 50% of ransomware initial access — more than all other categories combined. A full 67% of all incidents investigated by Sophos IR and MDR teams were rooted in some form of identity attack.
Brute-force (15.6%) has nearly converged with exploitation (16%) as an initial access vector, another signal that attackers are investing less in exploit development and more in credential harvesting at scale.
The MFA Paradox
Perhaps the most alarming finding: MFA was deployed in 97% of credential-based ransomware cases — yet failed to prevent compromise in every one of them.
The apparent contradiction is explained by the evolution of bypass techniques now standard in criminal tooling:
- Adversary-in-the-Middle (AitM) phishing kits — platforms like Tycoon 2FA intercept session cookies and MFA tokens in real time. (Tycoon's infrastructure was seized by Europol and Microsoft in March 2026, but successors remain active.)
- MFA fatigue (push bombing) — up 217% year-over-year, attackers flood users with authentication prompts until one is approved.
- Session token theft — stolen cookies allow attackers to replay authenticated sessions without triggering MFA workflows.
- Vishing — attackers impersonate internal IT over Microsoft Teams to social-engineer MFA codes or push approvals.
The broader Active Adversary dataset — not limited to ransomware — shows that 59% of identity-based cases involved systems with no MFA at all, suggesting incomplete rollout across enterprise environments remains a major problem even when MFA is "deployed."
Attacker Tradecraft at Speed
The pace of modern ransomware operations leaves little time for defenders:
- Median dwell time: 3 days from initial access to ransomware deployment
- Time to reach Active Directory: 3.4 hours after gaining a foothold
- Payload timing: 88% of ransomware deployed outside business hours
- Exfiltration timing: 79% of data theft also occurs off-hours
Sophos observed 51 distinct ransomware brands active in the study period — 27 returning and 24 new entrants. Akira led the field, accounting for 22% of all incidents.
On AI: despite significant media speculation, Sophos confirmed confirmed AI use in exactly 1 of 661 cases — a deepfake. No evidence of AI-driven transformation in attacker methodology was found.
What to Do
The shift from exploit-centric to identity-centric attacks requires defenders to shift investment accordingly:
1. Replace push and OTP MFA with phishing-resistant alternatives. FIDO2 security keys and passkeys are the only MFA technologies that consistently resist AitM and fatigue attacks. If your MFA can be phished, it will eventually be bypassed.
2. Deploy Identity Threat Detection and Response (ITDR). Endpoint detection covers where code runs; ITDR covers where identities are abused. The two are complements, not substitutes.
3. Audit non-human identities. Service accounts, API tokens, and automation credentials are often overlooked in identity hardening projects. Sophos found these credentials disproportionately present in lateral movement paths.
4. Reduce internet-facing identity infrastructure exposure. VPN concentrators, RDP endpoints, and federation portals exposed to the internet remain favored brute-force targets. Put them behind zero-trust access policies where possible.
5. Extend log retention. Sophos noted a doubling year-over-year in cases where missing logs impeded investigation. Default retention on firewall appliances can be as short as 24 hours — far too short to reconstruct a 3-day intrusion.
6. Ensure 24/7 monitoring. With 88% of ransomware deployed outside business hours, Monday-to-Friday 9-to-5 SOC coverage is structurally insufficient. MDR services or continuous in-house monitoring are required.
Bottom Line
The ransomware threat actor community has largely made its bet: credentials are cheaper to steal than vulnerabilities are to find and weaponize. Patching remains necessary — but it is no longer sufficient as a primary defensive posture. Identity hygiene and phishing-resistant authentication are now the front line.