Sophos' State of Ransomware 2026 report shows that email and phishing identity attacks now account for half of ransomware causes, pushing out vulnerability exploits. Despite MFA being present in 97% of credential‑based cases, breaches still occurred.

Key Takeaways

  • Identity‑based email and phishing now cause 50% of ransomware incidents
  • MFA was deployed in 97% of credential‑compromise cases yet did not stop attacks
  • Future defenses must prioritize Identity Threat Detection & Response (ITDR)

Sophos’ State of Ransomware 2026 report reveals a decisive shift: identity‑focused attacks have eclipsed traditional vulnerability exploits as the primary ransomware entry point. The survey of 2,158 IT and cybersecurity leaders across 17 countries found malicious email (26%) and phishing (24%) displaced vulnerabilities (18%) as the top root causes.

Identity Becomes the Dominant Vector

Two‑thirds (67%) of respondents said the ransomware incident they experienced was their most significant identity attack of the year, underscoring how threat actors now bypass patching by directly compromising user credentials through social engineering.

Why MFA Didn’t Stop the Breach

Surprisingly, MFA was in place for 97% of the cases where compromised credentials drove ransomware. Sophos cites two explanations: incomplete MFA rollout across all critical assets, leaving exploitable gaps, and the evolution of sophisticated bypass techniques that can neutralize even strong second‑factor methods such as OTPs, push‑based apps, and passkeys.

Beyond Patching: A New Defensive Playbook

The report urges organizations to adopt Identity Threat Detection and Response (ITDR), enforce MFA universally, and conduct regular audits of both human and machine identities. Complementary controls—zero‑trust network access (ZTNA), network segmentation, and 24/7 threat detection—create “speed bumps” that slow attackers and generate alerts for rapid threat hunting.

Conclusion

As ransomware pivots toward identity abuse, relying solely on vulnerability management is no longer sufficient. A layered, identity‑centric security strategy, anchored by comprehensive MFA deployment, continuous monitoring, and aggressive defense‑in‑depth, is essential to mitigate the evolving threat landscape.