Ransomware, Identity

Stolen identities cause 79% of ransomware attacks, says Sophos report

Cybersecurity and Digital Protection

Lapses in identity cause 79% of ransomware attacks, according to an annual study by security vendor Sophos.

Sophos researchers said many of these attacks aim to secure credentials for abuse or exploit credentials that had already been secured, underscoring the importance of identity in a holistic security posture.

The report found that 67% of ransomware victims said their ransomware incident was also their most significant identity attack.

 Along with identity, the other two leading access points for ransomware were malicious email at 26% and phishing at 24%.

Worthy of note was that exploited vulnerabilities — the top root cause of the past three years — dropped 14 percentage points over last year to 18%.

“Attackers have realized they no longer need to hack through firewalls when they can simply log in with stolen credentials,” said Kevin Surace, chief executive officer at TokenCore. “Identity has become the new perimeter, and phishing, social engineering, and credential theft are faster, cheaper, and more reliable than exploiting software vulnerabilities.”

Surace added that AI has made phishing nearly indistinguishable from legitimate communications, allowing attackers to steal credentials and even bypass legacy MFA through real-time relay attacks.

"Ideally, we'll get better at preventing identity attacks, which of course will likely shift the attackers to target the next easiest entry point," said Chester Wisniewski, Global Field CISO at Sophos. "It's a lot harder than it sounds, though. Most organizations surveyed have deployed some MFA, but based on my experience working with victims is that MFA is not on every entry point, or it supports a mix of strong passkeys or U2F and weak, time-based one-time passwords and push notifications, where the attackers can simply downgrade to the weakest form and circumvent the control. " 

This data confirms something we've been tracking on the intelligence side for a while: credentials have become the cheapest, highest-return way into a network, and an entire criminal economy has built up around them, said Roman Sannikov, global research coordinator at iCounter.

“Exploiting a vulnerability takes research, timing, and a narrow window before it gets patched," said Sannikov. "Buying or phishing a working credential is faster, repeatable, and once you're in, you look like a legitimate user instead of an intruder.”

Sannikov said the MFA number in this report is also worth pointing out:  97% of the organizations breached through compromised credentials already had MFA turned on.

“That's not an argument against MFA, but not all MFA is created equal,” said Sannikov. “Some organizations still push codes over SMS or email, and if a threat actor already has a working set of credentials, there's a real chance they also have access to that person's email or phone account, the same channels that MFA is relying on to prove it's really them. I once had a CISO tell me, 'why should I worry about credentials, we have MFA.' That's exactly the mindset this data should put to rest.”

Jacob Krell, senior director, secure AI solutions and cybersecurity at Suzu Labs, added it’s clear MFA alone isn't enough.

“MFA works for people logging in at a screen, said Krell. “It doesn't cover a stolen session token, an API key, or a service account authenticating in the background. Stopping credential acquisition matters more now than catching ransomware payloads at the endpoint. Once an attacker establishes trusted identity, every later stage of the attack gets easier.”

Shane Barney, chief information security officer at Keeper Security, said stolen credentials are now the dominant ransomware entry point, and the trend has accelerated. Barney said once attackers obtain a legitimate identity, they can move through an environment undetected, escalating privileges and staging ransomware before most teams know something is wrong. 

“The goal isn't just stopping the initial breach,” said Barney. “It’s limiting the blast radius when credentials are compromised. Organizations that can't see who has access to what, and can't revoke it fast, will keep finding out after the fact. That's what zero-trust and strong identity governance are designed to prevent.”

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds