Virtual Round Table · Jul 22

View the event
Identity Overtakes the Exploit: Why Stolen Logins Now Drive More Ransomware Than Unpatched Bugs
Cybersecurity

Identity Overtakes the Exploit: Why Stolen Logins Now Drive More Ransomware Than Unpatched Bugs

Sophos data puts email and stolen credentials, not software flaws, at the root of most ransomware, and MFA was present in 97 percent of the credential cases that still failed.

PublishedJuly 16, 2026
Read time6 min read
Share

The Root Cause Moved

The threat model most security programs were built around has quietly inverted. New data from Sophos, reported by Dark Reading on July 15, shows that malicious email at 26 percent and phishing at 24 percent are now the leading root causes of ransomware, while exploited vulnerabilities have dropped to 18 percent from 32 percent the previous year. Compromised credentials appear in another 23 percent of cases. Taken together, identity-centric entry paths account for the clear majority of incidents. For a decade we treated patching cadence and exposed CVEs as the primary battleground, and that work still matters. The center of gravity has shifted toward who is logging in.

This matters for how a CISO allocates the next dollar. Vulnerability management programs are mature, well tooled, and increasingly automated, which is precisely why attackers have moved on. Buying access through a phished session or a bought credential is cheaper and quieter than burning a zero-day. We read the Sophos figures as confirmation that the enterprise attack surface is now defined by identities, sessions, and tokens as much as by unpatched software. The organizations that keep spending disproportionately on the exploit path while underfunding identity will find themselves defending the last war.

MFA Is Necessary and No Longer Sufficient

The most uncomfortable number in the report is that multifactor authentication was deployed in 97 percent of the cases where compromised credentials were the root cause, and it still failed to prevent the breach. That statistic should end any boardroom conversation that treats MFA rollout as the finish line for identity security. Attackers have industrialized the techniques that route around a second factor: adversary-in-the-middle phishing kits that capture live session tokens, MFA fatigue bombing, SIM swaps, and help-desk social engineering that resets the factor entirely. Once a valid session token is in hand, the prompt the user already approved becomes the attacker's key.

The operational takeaway is that authentication strength and session integrity are separate problems, and most enterprises have only solved the first. Phishing-resistant methods such as passkeys and hardware security keys close a large part of the gap, yet coverage remains partial in most estates, concentrated on privileged users while the long tail of service accounts and contractors stays on weaker factors. We would push every identity roadmap to distinguish between authenticating a user and continuously validating that the session in flight still belongs to them. That distinction is where the 97 percent failure rate actually lives.

The Non-Human Identity Blind Spot

The credential problem is no longer confined to people. Enterprises now run vast populations of machine identities: service accounts, API keys, OAuth tokens, CI/CD secrets, and the fast-growing roster of AI agents that authenticate on their own. These identities rarely have MFA, are seldom rotated on a disciplined schedule, and frequently carry standing privileges that a human would never be granted. When an attacker lands on the identity plane, these are the credentials that let them move laterally and persist without tripping the controls tuned for human behavior. The ransomware root-cause data is a human-login story today, and the machine-login story is arriving fast behind it.

For technology leaders pushing agentic AI into production, this is a governance question that cannot wait for a later phase. Every agent that reads a mailbox, calls an internal API, or executes a workflow is a new credential with a blast radius. We advise treating non-human identity inventory, scoping, and rotation as a launch requirement rather than a cleanup task, because the alternative is discovering the sprawl during an incident. Identity security programs that count only their human users are measuring a shrinking fraction of their real exposure.

What the Attack Chain Looks Like Now

The modern ransomware chain reads less like an exploit and more like an intrusion into a legitimate account. It typically starts with a convincing email or a phishing page that harvests a credential or a live session, proceeds through reconnaissance using the access the victim already had, escalates by abusing existing entitlements or a poorly guarded service account, and only reaches encryption after the attacker has quietly mapped the environment and located the backups. Two thirds of victims in the Sophos data described the resulting event as their most significant identity attack of the year, which tells us the identity compromise and the ransomware are the same story rather than two.

This reframing changes where detection has to live. Endpoint and network signals still catch the noisy final stages, yet by then the attacker has often held valid access for days or weeks. The higher-value telemetry sits in the identity provider: impossible-travel logins, anomalous token issuance, new device registrations, sudden privilege grants, and consent to unfamiliar OAuth applications. We would rather catch the anomalous authentication on day one than the encryption on day fourteen, and that ordering should shape both tooling budgets and the questions asked in every incident review.

Where CISOs Should Spend Next

The practical response is to fund identity threat detection and response with the seriousness once reserved for endpoint detection. ITDR watches the identity fabric itself, correlating signals across the identity provider, directory, and SaaS estate to flag credential abuse that individual application logs miss. Paired with phishing-resistant authentication for the entire workforce rather than a privileged subset, it addresses the exact failure mode the data exposes. The supporting hygiene is unglamorous and decisive: prune standing privilege, enforce least privilege on service accounts, rotate secrets, and put a real lifecycle around every token an application holds.

None of this displaces vulnerability management, and the 18 percent of attacks that still ride an exploit are reason enough to keep patching hard. The argument is one of proportion. If identity now drives more than half of ransomware and MFA alone demonstrably fails against it, the budget mix should reflect that reality. We expect the next two years of security spending to tilt visibly toward identity, and the enterprises that move first will spend the difference on prevention rather than on incident response retainers and breach notification lawyers.

The Bottom Line for Technology Leaders

For CIOs and CTOs, the strategic message is that identity has become the primary security perimeter, and the operating model has to catch up. That means the identity team is no longer a subfunction of IT operations concerned mainly with provisioning and single sign-on. It is a frontline security capability whose telemetry, staffing, and executive visibility should match its new role as the most-attacked layer in the stack. The reporting lines and budget authority that made sense when identity meant password resets look undersized against a threat landscape where a stolen session is the most common way in.

The reframing is ultimately clarifying. Enterprises have spent years hardening the software supply chain and shrinking their patch windows, and that discipline paid off by pushing attackers toward the human and machine credentials that were never defended as rigorously. The path forward is to extend the same rigor to identity: inventory it, instrument it, and assume it will be targeted. The organizations that internalize the Sophos numbers as a mandate rather than a headline will be the ones that keep a phished credential from becoming a boardroom crisis.

Tagged#news#security#cybersecurity#breach#cisa#ransomware#zero-day#supply-chain#ai-security#identity#credentials#mfa#itdr#phishing#non-human-identity#sophos#ciso#passkeys#session-hijacking#adversary-in-the-middle#identity-security