Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Compromised Logins Surge as the Most Common Entry Point for Ransomware

July 15, 2026

Eleven Vulnerable UEFI Shims Enable Secure Boot Bypass

July 15, 2026

AI Attacks Move in Minutes. Join This Webinar on Building a Defense That Keeps Up

July 15, 2026
Facebook X (Twitter) Instagram
Wednesday, July 15
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»Cyber Security»Compromised Logins Surge as the Most Common Entry Point for Ransomware
Cyber Security

Compromised Logins Surge as the Most Common Entry Point for Ransomware

Team-CWDBy Team-CWDJuly 15, 2026No Comments4 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Identity-based attacks and abuse of compromised credentials have become the most common method cybercriminals use to hit networks with ransomware, analysis of real-world incidents has revealed.

According to a new report by Sophos, 79% of ransomware attacks can be traced back to an initial intrusion which exploited compromised identities and legitimate user logins.

In total, malicious emails accounted for the initial entry point for ransomware in 26% of analyzed incidents, up from 19% in 2025.

Phishing attacks, often used to steal legitimate login credentials, were the root cause of ransomware attacks in 24% of incidents, which is up from 18% during the previous year.

The third most common entry point for ransomware incidents was brute force attacks, a method which sees cybercriminals use automation and trial and error to breach commonly used or weak passwords. This accounted for 23% of ransomware attacks, a slight drop from 22% during the previous year.

Identity-based attacks have risen at the expense of vulnerabilities being exploited. Previously, the most common root cause of ransomware incidents, the percentage of attacks which started with attackers exploiting known security vulnerabilities dropped from 32% in 2025 to 18% in 2026.

“Over the last 12 months across the ransomware landscape we’ve seen attackers rely on ‘easier’ attacks, using compromised identities as the primary initial access vector. Not to mention the developments in social engineering, with AI routinely deployed to polish phishing emails and sophisticated ClickFix campaigns designed to trick even the most trained users into bypassing MFA. This years trend shows they are focused on targeting humans,” Ross McKerchar, CISO at Sophos told Infosecurity.

Attackers are leveraging the exploited identities in several different ways, using them to access exposed applications or systems (38%), remote device logins (30%) and firewalls (21%) as well as exposed VPNs (8%) and in some cases, IoT devices as the initial point of entry (3%).

There is not one factor that left organizations exposed to attacks, but there are some common trends. According to the 2158 cybersecurity leaders surveyed by Sophos, 62% cited security gaps in the network, both known and unknown as a potential reason for cyber-attacks going undetected.

Over half (58%) said their organization was held back by resources around a lack of people or appropriate expertise to keep the organization safe from cyber threats.

Meanwhile, 57% of respondents said that they felt that their organization had not implemented the correct level of cybersecurity solutions or protections to keep the network or users safe.

Recovering From a Ransomware Attack

For those organizations which fell victim to a ransomware attack to the extent data was encrypted, 48% said that they paid the ransom to get data back. In addition to this, 66% said they used their own backups to restore some of the encrypted data, up from 54% in 2025.

When it came to ransom demands, the report said that the median ransom demand has fallen to $698,000 in this year’s report, down from $2m just two years ago. However, the large organizations continue to receive much higher ransom demand, amounting to millions of dollars.

While it might look as if ransom payments are getting lower, what is really happening is that cybercriminals are tailoring their ransom demands to the organizations they hit, demanding less from smaller organizations. That’s simply because if they went in with a ransom demand that was too high, the organization would refuse to pay.

However, if the ransom demand is more ‘reasonable’ it can push the victim to pay up for the decryption key, especially if they believe that not paying the ransom would cost them more in lost earnings in the near-term future.

With identity-based attacks the main means of cyber-criminals initiating ransomware attacks, the best way for cybersecurity leaders to ensure their organization does not become a victim is to ensure identity-based controls are robust enough to defend against malicious behavior.

“Organizations should prioritize identity threat detection and response (ITDR), enforce multi-factor authentication across all access points, and regularly audit both human and non-human identity credentials,” the Sophos report recommended.

“Organizations that treat identity as a foundational security layer, rather than an afterthought, are better positioned to prevent attacks from succeeding in the first place,” it concluded.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleEleven Vulnerable UEFI Shims Enable Secure Boot Bypass
Team-CWD
  • Website

Related Posts

Cyber Security

Australian Cyber Agency Warns of Global CMS Exploitation Campaign

July 14, 2026
Cyber Security

Pakistani Police Systems Hit by Chinese and Indian Espionage

July 13, 2026
Cyber Security

New Ransomware Exploits Malicious Driver to Remove Security Protection

July 11, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Watch out for SVG files booby-trapped with malware

September 22, 2025

What it takes to fool facial recognition

March 14, 2026

Don’t let “back to school” become “back to bullying”

September 11, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.