Compromised Credentials Overtake Vulnerabilities as Primary Ransomware Entry Point
AK
Alex Kim Threat intelligence editor · Updated Jul 15, 2026, 7:03 PM EDT
Compromised Credentials Overtake Vulnerabilities as Primary Ransomware Entry Point
Compromised Credentials Overtake Vulnerabilities as Primary Ransomware Entry Point
Sophos research published in 2026 shows identity-based initial access has displaced software vulnerability exploitation as the dominant path into ransomware. In a vendor-agnostic survey of 2,158 leaders whose organizations were hit in the prior year, malicious email (26 percent), phishing (24 percent), and compromised credentials (23 percent) led the rankings, while exploited vulnerabilities fell to 18 percent from 32 percent the year before. Parallel analysis of 661 incident-response and managed-detection cases found 67.32 percent of root causes were identity-related, with generic compromised credentials alone at 42.06 percent. Attackers are no longer primarily breaking in; they are logging in.
The dual datasets crystallize a multi-year shift that forces boards and CISOs to reallocate attention beyond traditional patch programs. For the first time in four years, vulnerabilities lost their top root-cause spot in the State of Ransomware survey. Combined, email and phishing accounted for roughly half of victim-reported starts. Brute-force attacks registered at 6 percent. Seventy-nine percent of ransomware attacks began with an identity-based approach, and 67 percent of victims said the ransomware event was also their most significant identity attack.
Incident-response telemetry paints a complementary picture with different taxonomy. Across cases handled between November 2024 and October 2025, identity-related root causes—brute force, credential phishing, authentication-token theft, trusted relationships, and the catch-all “compromised credentials”—totaled 67.32 percent. Compromised credentials accounted for 42.06 percent, brute force 15.58 percent (nearly tied with vulnerability exploitation at 16.04 percent), and phishing 6.35 percent—more than double the prior year. The “compromised credentials” label frequently appears when logs are insufficient to prove how credentials were stolen.
Methodology differences matter. The survey captures self-reported root cause from organizations that suffered ransomware. The Active Adversary Report reflects forensic findings from Sophos IR and MDR engagements, heavily weighted toward organizations with fewer than 1,000 employees. Both independently show identity overtaking vulnerabilities.
Credential techniques chain into ransomware efficiently. Stolen or reused passwords—often from initial-access brokers, infostealers, or prior breaches—enable valid logins to VPN, RDP, SaaS, or firewall admin interfaces. Phishing harvests credentials or session tokens; adversary-in-the-middle reverse-proxy kits capture cookies that let attackers replay authenticated sessions and bypass one-time MFA. Brute force and password spraying still succeed against exposed services. Trusted relationships and over-privileged partner or MSP accounts provide additional footholds.
Multi-factor authentication fails more often than many boards realize. In the victim survey, MFA was present in some form in 97 percent of ransomware cases that began with compromised credentials—yet the attacks still succeeded. Coverage gaps explain the paradox: SaaS applications frequently have MFA, while VPN concentrators, firewall consoles, and legacy apps often do not. In the IR dataset, MFA was missing where it mattered in 59 percent of cases. Partial deployment creates a false sense of security while attackers target the unprotected surface.
Once inside, speed is decisive. Median time from foothold to Active Directory reached just 3.4 hours. Median dwell time across cases was three days. Living-off-the-land binaries, remote-monitoring tools, and PsExec-style lateral movement remain constant. Ransomware payloads and data exfiltration overwhelmingly occur outside business hours—88 percent of payloads and 79 percent of exfiltration. Initial compromise locations for vulnerability, credential, and brute-force starts clustered around exposed applications and systems (38 percent), user devices (30 percent), firewalls (21 percent), VPNs (8 percent), and IoT (3 percent). Firewall starts correlated with higher ransom leverage: 59 percent of those demands reached $1 million or more versus a 48 percent baseline.
Why identity eclipsed bugs is straightforward economics. Logging in with valid credentials is cheaper, more reliable, and harder to distinguish from legitimate traffic than racing zero-days or mass exploits. A single phishing kit or purchased credential list scales across many targets. Infostealer markets, initial-access brokers, AiTM frameworks, and password-spraying automation form a commodity stack. Generative AI has increased phishing volume and polish, yet Sophos found no major AI-driven transformation of core ransomware techniques in 2025 casework. Cloud and hybrid identity sprawl—human accounts, non-human service accounts, federation paths spanning Active Directory, Entra ID, and cloud providers—expands the attack surface. Defender programs remain mature around patching, while identity hygiene, continuous authentication, and identity threat detection and response (ITDR) are newer and ownership-fragmented. Threat-group proliferation favors repeatable identity paths; Akira alone accounted for roughly 22 percent of observed ransomware brands in the IR set.
Traditional vulnerability-management programs remain necessary but are no longer sufficient as the primary ransomware control. Edge devices still deliver high blast radius when compromised. Volume attackers simply prefer the path of least resistance: valid logins.
Concrete controls that reduce successful entry map directly to the findings:
Deploy phishing-resistant MFA (FIDO2, WebAuthn, passkeys) first on VPN, RDP, IdP, firewall admin, and privileged SaaS—not only Microsoft 365—and close coverage gaps that left MFA missing where it mattered in 59 percent of IR cases.
Implement ITDR for continuous visibility across human and machine identities: anomalous login detection, identity-graph analysis of privilege paths, token anomalies, and inline actions that challenge, kill sessions, or revoke tokens.
Enforce session hygiene—short token lifetimes, continuous conditional-access re-evaluation, device-posture binding, and global session revocation on risk—to counter cookie and token theft that renders one-time MFA useless.
Reduce privilege pathways (least privilege, tiered admin, no standing global admin, retirement of dormant privileged service accounts) to slow the 3.4-hour race to domain dominance; replace broad legacy VPN with zero-trust network access where feasible.
Strengthen email authentication (DMARC, DKIM, SPF) plus anti-phishing defenses; add credential-stuffing and spray detection at the identity provider.
Retain identity, VPN, firewall, and IdP logs for at least 90 days (preferably immutable) and equip 24/7 SOC or MDR capacity to hunt valid-account abuse, not only malware.
Vulnerability-management and identity teams must realign. Vulnerability teams should elevate time-to-patch for internet-facing identity-adjacent assets—VPN, firewall, IdP, SSO, ADFS, RDP gateways—and prioritize known-exploited and ransomware-linked vulnerabilities. Identity and PAM teams should report phishing-resistant MFA coverage by asset class, orphaned and dormant privileged accounts, non-human identity inventory, and session-revoke mean time to respond. SOC metrics should include valid-account abuse detections and dwell time from first anomalous authentication.
CISOs need joint scorecards that track closed ransomware-relevant attack paths rather than isolated CVE SLAs or MFA enrolment percentages. Shared runbooks—credential stuffing alert triggers forced reset, global session kill, and IAM ticket—prevent siloed response. Weekly triage across identity, vulnerability management, and SOC of exposed auth surfaces, new privilege paths, and edge CVEs keeps collaboration operational.
Residual risks remain even after strong identity controls. Zero-day and N-day exploitation of edge appliances still accounts for 16–18 percent of starts and often produces larger ransom demands. Supply-chain and trusted-third-party access, helpdesk social engineering that disables MFA, non-human identities and secrets outside user MFA programs, and post-authentication living-off-the-land all persist. Missing telemetry continues to blind response. Encryption still succeeded in 56 percent of attacks (up from 50 percent), average recovery cost reached $1.7 million (up 11 percent), and the median demand stood at $698,000. Immutable backups and tested recovery remain non-negotiable.
Patch prioritization should therefore weight residual risk: P0 for internet-facing authentication and network-edge devices; P1 for domain controllers and identity infrastructure; P2 for ransomware-favored enterprise applications with public exploits; P3 for internal systems already behind strong session controls and zero-trust access. Prompt patching of known vulnerabilities—especially on edge devices—must continue alongside identity investment, not instead of it.
The evidence is consistent across survey and forensic lenses: compromised credentials have become the preferred ransomware entry point. Organizations that continue to treat identity as a secondary control after endpoint and vulnerability management will keep losing the race that now averages 3.4 hours to Active Directory. ITDR, phishing-resistant MFA everywhere it matters, continuous session validation, and disciplined log retention are the core controls that determine whether a valid login becomes a ransomware event.