Today, Sophos released its seventh annual State of Ransomware report, a vendor-agnostic survey of IT and cybersecurity leaders across 17 countries identifying the impact of ransomware on businesses and how prepared organisations are to defend against them. This year’s report reveals that identity is the dominant initial access vector (IAV), with four in five (79%) of ransomware attacks starting with compromised identities.
The prominence of identity attacks in ransomware indicates a shift in method, as attackers increasingly recognise identity as a key component in ransomware delivery. Additionally, for the first time in four years, exploited vulnerabilities are no longer the most common root cause, with malicious email (26%) and phishing (24%) taking the top spot.
However, exploited vulnerabilities remain a high value target: 59% of ransom demands that start with an exploited vulnerability on the firewall are for $1M or more compared to 48% of all attacks.
“As we see ransomware criminals experiment with AI, it has the potential to accelerate their ability to steal valuable assets, hold them hostage and do it at a scale that exceeds their previous capability,” said Ross McKerchar, chief information security officer, Sophos. “This speed requires careful round-the-clock monitoring of the most exploited means of entry, which our data shows to be stolen and compromised valid accounts. However, the improvement of unguarded open-weight AI models will give attackers a growing advantage in finding and exploiting software vulnerabilities. Defenders cannot rely on patching alone to keep pace, so reducing external exposure and maintaining strong endpoint protection is essential.”
The report also found that, out of the organisations hit by ransomware, 56% had their data encrypted, an increase which has reversed a two-year downward trend.
Additional findings highlight:
- Two-thirds of ransomware victims (67%) confirmed their ransomware incident was also their most significant identity attack, establishing identity compromise as a primary ransomware delivery mechanism.
- Over half of ransomware attacks (56%) succeeded in encrypting data, including 16% where data was both encrypted and stolen. That success rate is up from 50% in 2025, but below the 75% peak in 2023.
- When data is encrypted, attackers have a 50-50 chance of receiving a ransom payment. 48% of organisations whose data was encrypted paid the ransom, bringing the four-year average payment rate to 50%.
- Only 34% of small organisations (100–250 employees) stopped attacks before encryption or extortion. This is significantly behind 3,001–5,000 employee organisations that stopped attacks 46% of the time.
- Multi-factor authentication (MFA) was deployed in some capacity for 97% of incidents where compromised credentials were the root cause of the ransomware attacks, making clear that MFA alone is not enough to stop ransomware, and that coverage gaps create exposure.
- The UK saw the highest median ransom demand recorded for any country at $2.5 million.
While organisations face prevention challenges as threat actors evolve their techniques, significant progress has been made to improve their ability to recover. Increased investment in backup infrastructure has likely contributed to organisations recovering faster following a ransomware attack; over half (55%) of organisations manage to do so within one week, and 16% in less than a day.
Organisations are continuing to be effective at negotiating with ransomware operators. Among those that chose to pay, 51% successfully negotiated a settlement below the attackers’ initial ransom demand. The median ransom demands made by attackers have dropped by 65% over the last two years, and the proportion of organisations paying the ransom to recover data has fallen to 48%, the second-lowest rate on record after 2023 (46%).
While improved strategies have impacted the adversary’s ability to extract financial gain through ransom demands, the average recovery costs following an attack has increased, now at $1.7 million per incident.
“Organisations have strengthened their ransomware resilience in the past year, and those investments are largely paying off,” said McKerchar at Sophos. “However, ransomware continues to cost organisations millions. As AI becomes more capable, attackers will be able to enumerate identity misconfigurations and weak points across organisations far more cheaply and quickly than before. Organisations can no longer rely on complexity or obscurity to hide gaps in their environment. The same technology also gives defenders an opportunity to find and fix those gaps faster, but only if prevention, detection, and response work together as part of a unified cybersecurity strategy.”
Sophos recommends the following best practices to help organisations build integrated, AI-driven defenses that bring together technology, people and processes:
- Treat identity as a foundational security layer – Organisations should prioritise ITDR, enforce phishing-resistant multi-factor authentication across all access points, and regularly audit both human and non-human identities.
- Invest in backup and recovery infrastructure – Backups should be tested regularly, stored offline or in immutable formats, and integrated into a documented incident response plan that can be executed under pressure.
- Maintain exposure management programs – Organisations should maintain rigorous patching schedules, prioritise internet-facing assets, and consider how emerging AI-assisted tools can accelerate vulnerability identification and remediation.
- Reduce exposure via the firewall and leverage firewall telemetry to detect attacks early. Ensure your firewall receives rapid – ideally automated – updates and minimise internet-facing services like admin access and user portals. Connect firewalls to XDR and MDR solutions to enable firewall telemetry to help detect ransomware attacks before payloads are deployed.




