Identity-Based Attacks: A Growing Threat in Cybersecurity
Identity-based attacks and the exploitation of compromised credentials have emerged as the predominant tactics employed by cybercriminals to infiltrate networks and deploy ransomware, according to a recent analysis of real-world incidents. The findings, revealed in a comprehensive report from cybersecurity firm Sophos, emphasize a troubling trend in the evolution of ransomware attacks.
The report indicates that a staggering 79% of ransomware incidents can be traced back to initial intrusions that exploited compromised identities and legitimate user logins. This marks a significant shift in the methods utilized by cybercriminals, who have increasingly favored easier access points over more complex vulnerabilities.
Delving deeper into the specifics, the analysis found that malicious emails served as the first entry point in 26% of the cases reviewed, demonstrating a notable increase from 19% in 2025. Phishing, a technique widely recognized for its efficacy in stealing legitimate login credentials, accounted for 24% of ransomware incidents, up from 18% in the previous year. This rise highlights the effectiveness of social engineering tactics, which have become ever more sophisticated, particularly with the integration of artificial intelligence in crafting convincing phishing emails.
Further diversifying their tactics, attackers employed brute force methods in 23% of ransomware incidents. This technique involves the automated guessing of passwords, particularly those that are weak or commonly used. Interestingly, this method saw only a slight decrease from 22% in 2025, reflecting its continued relevance in the attack landscape.
As identity-based attacks have surged, the exploitation of known security vulnerabilities has declined sharply. Previously the most common root cause of such incidents, attacks leveraging these vulnerabilities decreased from 32% in 2025 to just 18% in 2026. This decline underscores a significant shift in the modus operandi of cybercriminals, who now prioritize compromised identities as a more straightforward means of securing initial access.
Ross McKerchar, CISO at Sophos, elaborated on this trend, stating, “Over the last 12 months across the ransomware landscape, we’ve seen attackers rely on ‘easier’ attacks, using compromised identities as the primary initial access vector. The developments in social engineering tactics, with AI being routinely deployed in phishing schemes, pose real challenges. Ransomware attacks are increasingly focused on deceiving human users, even those who are well-trained to spot irregularities.”
The methods employed by attackers to leverage compromised identities are diverse. According to the report, they frequently utilize these stolen credentials to access various systems, including exposed applications (38%), remote device logins (30%), and firewalls (21%). Additionally, exposed VPNs and IoT devices were cited as entry points in 8% and 3% of cases, respectively.
The research highlighted several systemic weaknesses within organizations, indicating that there is rarely a single factor responsible for increased vulnerability to attacks. A survey conducted by Sophos of 2,158 cybersecurity leaders revealed that 62% identified security gaps—both known and unknown—as significant contributors to the undetected nature of many cyber-attacks. Furthermore, 58% of the respondents expressed concerns regarding a lack of resources, particularly in terms of manpower and expertise, which hindered their ability to safeguard their organizations from burgeoning cyber threats.
Additionally, 57% of organizations acknowledged that they had not implemented adequate cybersecurity solutions or protective measures to ensure the safety of their networks and users. This underscores the critical need for organizations to reassess their cybersecurity strategies in light of evolving threats.
Recovery Strategies After Ransomware Attacks
For organizations that have already fallen victim to ransomware attacks, the recovery process often involves difficult decisions. The report disclosed that 48% of organizations opted to pay the ransom to regain access to their encrypted data. Simultaneously, 66% reported utilizing their own backups to restore some data, a marked increase from 54% in the prior year.
When considering ransom demands, there has been a noticeable trend: the median ransom has decreased to $698,000 this year, down from $2 million just two years prior. However, larger organizations continue to face exorbitant ransom requests—often reaching into the millions. This may suggest that while ransom payments appear to be declining overall, cybercriminals are strategically lowering demands for smaller organizations to maximize the likelihood of payment.
As the primary method for initiating ransomware attacks shifts to identity-based approaches, cybersecurity leaders are urged to implement robust identity controls. According to the Sophos report, organizations should prioritize identity threat detection and response (ITDR), enforce multi-factor authentication across all access points, and conduct regular audits of both human and non-human identity credentials.
Ultimately, the report concludes that viewing identity as a foundational security layer, rather than an afterthought, significantly enhances an organization’s defenses against cyber threats. With the continued rise of identity-based attacks, a proactive stance will be crucial in minimizing the risk of becoming a victim of ransomware in the future.

