Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1913+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Identity Attacks Overtake Exploits as Top Ransomware Cause
Identity Attacks Overtake Exploits as Top Ransomware Cause
NEWS

Identity Attacks Overtake Exploits as Top Ransomware Cause

Sophos 2026: 79% of ransomware attacks start with stolen identities. MFA was present in 97% of credential-based cases yet failed to stop every one of them.

Dylan H.

News Desk

July 16, 2026
4 min read

The Shift Has Happened

For years, security teams were told to patch fast — because unpatched software vulnerabilities were the primary door ransomware operators walked through. That calculus has fundamentally changed. According to Sophos' Active Adversary Report 2026 and State of Ransomware 2026, both released this month, compromised identities now drive 79% of all ransomware attacks, while software exploits have dropped to just 18% of initial access vectors — down 14 percentage points year-over-year.

The data comes from 661 incident response and managed detection and response (MDR) cases across 70 countries and 34 industries, covering activity from November 2024 through October 2025.

Identity-First Attack Breakdown

When looking at how ransomware operators initially gained access:

  • Malicious email: 26%
  • Phishing: 24%
  • Compromised credentials (no additional vector known): 23%
  • Exploited vulnerabilities: 18%
  • Brute-force: 6%

Combined, email and phishing alone account for 50% of ransomware initial access — more than all other categories combined. A full 67% of all incidents investigated by Sophos IR and MDR teams were rooted in some form of identity attack.

Brute-force (15.6%) has nearly converged with exploitation (16%) as an initial access vector, another signal that attackers are investing less in exploit development and more in credential harvesting at scale.

The MFA Paradox

Perhaps the most alarming finding: MFA was deployed in 97% of credential-based ransomware cases — yet failed to prevent compromise in every one of them.

The apparent contradiction is explained by the evolution of bypass techniques now standard in criminal tooling:

  • Adversary-in-the-Middle (AitM) phishing kits — platforms like Tycoon 2FA intercept session cookies and MFA tokens in real time. (Tycoon's infrastructure was seized by Europol and Microsoft in March 2026, but successors remain active.)
  • MFA fatigue (push bombing) — up 217% year-over-year, attackers flood users with authentication prompts until one is approved.
  • Session token theft — stolen cookies allow attackers to replay authenticated sessions without triggering MFA workflows.
  • Vishing — attackers impersonate internal IT over Microsoft Teams to social-engineer MFA codes or push approvals.

The broader Active Adversary dataset — not limited to ransomware — shows that 59% of identity-based cases involved systems with no MFA at all, suggesting incomplete rollout across enterprise environments remains a major problem even when MFA is "deployed."

Attacker Tradecraft at Speed

The pace of modern ransomware operations leaves little time for defenders:

  • Median dwell time: 3 days from initial access to ransomware deployment
  • Time to reach Active Directory: 3.4 hours after gaining a foothold
  • Payload timing: 88% of ransomware deployed outside business hours
  • Exfiltration timing: 79% of data theft also occurs off-hours

Sophos observed 51 distinct ransomware brands active in the study period — 27 returning and 24 new entrants. Akira led the field, accounting for 22% of all incidents.

On AI: despite significant media speculation, Sophos confirmed confirmed AI use in exactly 1 of 661 cases — a deepfake. No evidence of AI-driven transformation in attacker methodology was found.

What to Do

The shift from exploit-centric to identity-centric attacks requires defenders to shift investment accordingly:

1. Replace push and OTP MFA with phishing-resistant alternatives. FIDO2 security keys and passkeys are the only MFA technologies that consistently resist AitM and fatigue attacks. If your MFA can be phished, it will eventually be bypassed.

2. Deploy Identity Threat Detection and Response (ITDR). Endpoint detection covers where code runs; ITDR covers where identities are abused. The two are complements, not substitutes.

3. Audit non-human identities. Service accounts, API tokens, and automation credentials are often overlooked in identity hardening projects. Sophos found these credentials disproportionately present in lateral movement paths.

4. Reduce internet-facing identity infrastructure exposure. VPN concentrators, RDP endpoints, and federation portals exposed to the internet remain favored brute-force targets. Put them behind zero-trust access policies where possible.

5. Extend log retention. Sophos noted a doubling year-over-year in cases where missing logs impeded investigation. Default retention on firewall appliances can be as short as 24 hours — far too short to reconstruct a 3-day intrusion.

6. Ensure 24/7 monitoring. With 88% of ransomware deployed outside business hours, Monday-to-Friday 9-to-5 SOC coverage is structurally insufficient. MDR services or continuous in-house monitoring are required.

Bottom Line

The ransomware threat actor community has largely made its bet: credentials are cheaper to steal than vulnerabilities are to find and weaponize. Patching remains necessary — but it is no longer sufficient as a primary defensive posture. Identity hygiene and phishing-resistant authentication are now the front line.

References

  • Sophos Active Adversary Report 2026
  • Sophos State of Ransomware 2026
  • Dark Reading — Identity Attacks Overtake Exploits as Top Ransomware Cause
#Ransomware#Identity Security#MFA#Phishing#Sophos#Threat Intelligence#Cybercrime

Related Articles

Agentic AI Used to Conduct Ransomware Attack via Langflow Vulnerability

Threat group JadePuffer leveraged an LLM agent to autonomously execute a multi-stage ransomware-style attack through a critical Langflow vulnerability,...

4 min read

JadePuffer Ransomware Used an AI Agent to Automate the Entire Attack

Security researchers have documented what appears to be the first ransomware operation conducted entirely by a large language model agent — JadePuffer...

3 min read

How Ransomware Syndicates Weaponize Corporate-Style Organization

From outsourced labor to tiered pricing models, today's top ransomware groups operate less like rogue hackers and more like Fortune 500 companies — with...

5 min read
Back to all News