The seventh annual ransomware study by Sophos shows a decisive shift in attacker tactics — and a mixed picture for defenders. Email-borne and identity-based attacks now dominate, encryption rates are creeping back up, but ransom payments keep falling as victims get better at negotiating.

Ransomware attackers are changing their playbook. According to the newly published Sophos “State of Ransomware 2026” report, based on a survey of 2,158 IT and cybersecurity leaders across 17 countries whose organizations were hit by ransomware in the past year, identity compromise has overtaken exploited software vulnerabilities as the dominant way attackers break in.

Malicious email (26%) and phishing (24%) are now the two leading root causes of ransomware incidents, together accounting for half of all attacks, according to the survey. Exploited vulnerabilities, which had topped the rankings for three consecutive years, fell sharply from 32% in 2025 to 18% this year. Compromised credentials remained steady at 23%. In total, the report states, 79% of attacks started with an identity-based approach — either stealing credentials or abusing ones already obtained.

The identity link runs deeper still: two-thirds (67%) of ransomware victims confirmed that the ransomware incident was also their most significant identity-related security breach of the year, according to Sophos.

New data in this year’s report also shows where these attacks physically originate inside organizations: exposed applications and systems accounted for 38% of entry points, followed by user devices (30%) and firewalls (21%) — a pattern the report links to the continued shift toward cloud and SaaS environments.

MFA alone isn’t enough

One of the report’s more sobering findings concerns multi-factor authentication. Among organizations where compromised credentials caused the breach, 97% reportedly had some form of MFA enabled at the time of the attack, using an average of 2.5 methods. Sophos concludes that MFA deployment, while essential, is not sufficient on its own if coverage gaps remain across systems.

Firewalls, meanwhile, played a measurable protective role: 61% of victims said their firewall detected the attack before ransomware was deployed, correlating with a 50% encryption rate — versus 71% when the firewall failed to detect the attack at all, the survey found.

Encryption rate ticks back up

After two years of decline, the share of attacks that successfully encrypted data rose to 56%, up from a low of 50% in 2025, though still well below the 76% peak recorded in 2023. Of these, 16% involved both encryption and data theft — a “double extortion” pattern the report describes as particularly damaging.

Ransoms keep shrinking

Despite the uptick in successful encryption, the money attackers are collecting continues to fall. The median ransom demand dropped to $698,000, a 65% decline over two years, while the median payment fell to $769,000, down from $1 million in the previous report. Just under half (48%) of victims whose data was encrypted paid a ransom — the lowest rate in three years — and 51% of those who paid negotiated the amount down from the original demand, per Sophos.

Backup-based recovery, meanwhile, surged to 66% of encrypted-data cases, up 12 percentage points, suggesting renewed investment in backup infrastructure is paying off.

Costs and human toll remain high

Still, the financial and human costs of an attack remain substantial. The average recovery cost, excluding any ransom paid, rose 11% year-over-year to $1.7 million. And virtually all affected IT and security teams — 99% — reported lasting personal repercussions, most commonly increased anxiety about future attacks (41%) and pressure from leadership (40%). In one in five cases (21%), the incident led to a change in IT leadership.

Sophos recommends that organizations prioritize identity threat detection, comprehensively enforce MFA, strengthen email filtering (DMARC/DKIM/SPF), invest in tested, immutable backups, and connect firewall telemetry into XDR/MDR platforms to catch attacks before encryption occurs.

(Source: Sophos “State of Ransomware 2026” report, based on a Vanson Bourne survey of 2,158 IT/security leaders in 17 countries, Q1 2026)

By Jakob Jung

Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM. Contact via Mail: jakob.jung@security-storage-und-channel-germany.de

Leave a Reply

Your email address will not be published. Required fields are marked *

WordPress Cookie Notice by Real Cookie Banner