79% of Ransomware Attacks Now Originate from Compromised Identities, Sophos Report Finds
Today, Sophos released its seventh annual State of Ransomware report, a vendor-agnostic survey of IT and cybersecurity leaders across 17 countries identifying the impact of ransomware on businesses and how prepared organisations are to defend against them. This year’s report reveals that identity is the dominant initial access vector (IAV), with four in five (79%) […]
Posted: Thursday, Jul 16
  • KBI.Media
  • $
  • 79% of Ransomware Attacks Now Originate from Compromised Identities, Sophos Report Finds
79% of Ransomware Attacks Now Originate from Compromised Identities, Sophos Report Finds
Today, Sophos released its seventh annual State of Ransomware report, a vendor-agnostic survey of IT and cybersecurity leaders across 17 countries identifying the impact of ransomware on businesses and how prepared organisations are to defend against them. This year’s report reveals that identity is the dominant initial access vector (IAV), with four in five (79%) of ransomware attacks starting with compromised identities.
The prominence of identity attacks in ransomware indicates a shift in method, as attackers increasingly recognise identity as a key component in ransomware delivery. Additionally, for the first time in four years, exploited vulnerabilities are no longer the most common root cause, with malicious email (26%) and phishing (24%) taking the top spot.
However, exploited vulnerabilities remain a high value target: 59% of ransom demands that start with an exploited vulnerability on the firewall are for $1M or more compared to 48% of all attacks.
“As we see ransomware criminals experiment with AI, it has the potential to accelerate their ability to steal valuable assets, hold them hostage and do it at a scale that exceeds their previous capability,” said Ross McKerchar, chief information security officer, Sophos. “This speed requires careful round-the-clock monitoring of the most exploited means of entry, which our data shows to be stolen and compromised valid accounts. However, the improvement of unguarded open-weight AI models will give attackers a growing advantage in finding and exploiting software vulnerabilities. Defenders cannot rely on patching alone to keep pace, so reducing external exposure and maintaining strong endpoint protection is essential.”
The report also found that, out of the organisations hit by ransomware, 56% had their data encrypted, an increase which has reversed a two-year downward trend.
Additional findings highlight:
While organisations face prevention challenges as threat actors evolve their techniques, significant progress has been made to improve their ability to recover. Increased investment in backup infrastructure has likely contributed to organisations recovering faster following a ransomware attack; over half (55%) of organisations manage to do so within one week, and 16% in less than a day.
Organisations are continuing to be effective at negotiating with ransomware operators. Among those that chose to pay, 51% successfully negotiated a settlement below the attackers’ initial ransom demand. The median ransom demands made by attackers have dropped by 65% over the last two years, and the proportion of organisations paying the ransom to recover data has fallen to 48%, the second-lowest rate on record after 2023 (46%).
While improved strategies have impacted the adversary’s ability to extract financial gain through ransom demands, the average recovery costs following an attack has increased, now at $1.7 million per incident.
“Organisations have strengthened their ransomware resilience in the past year, and those investments are largely paying off,” said McKerchar at Sophos. “However, ransomware continues to cost organisations millions. As AI becomes more capable, attackers will be able to enumerate identity misconfigurations and weak points across organisations far more cheaply and quickly than before. Organisations can no longer rely on complexity or obscurity to hide gaps in their environment. The same technology also gives defenders an opportunity to find and fix those gaps faster, but only if prevention, detection, and response work together as part of a unified cybersecurity strategy.”
Sophos recommends the following best practices to help organisations build integrated, AI-driven defenses that bring together technology, people and processes:
Share This