An employee opens an email that looks like any other, clicks a link, and gives up a password without noticing. A stolen login opens a door deeper in the network. Files stop opening a few days later.
That chain now sits at the front of most ransomware cases. Malicious email and phishing together account for half of all incidents, based on a survey of 2,158 IT and security leaders whose organizations were hit in the past year. Sophos commissioned the research and gathered the answers early in 2026.
Stolen credentials sit close behind email as a way in. Close to eight in ten attacks opened with an identity-based move, taking a credential or using one already taken. Two-thirds of victims said their ransomware incident was the same event as their worst identity breach.
Where the attackers went
Exploited software flaws led the rankings for three years running. They dropped to 18% this year, down from roughly a third the year before. Attackers leaned on logins and email lures, a cheaper way into the network.
Sophos warns flaw-based attacks could climb again as AI tools find software weaknesses faster.
Among attacks that started with a stolen login, a software flaw, or brute force, exposed internet-facing applications were the most common opening, ahead of user devices and firewalls. Multi-factor authentication was in place for nearly every credential-based attack. Coverage gaps and bypass methods let attackers through anyway.
Victims named a range of reasons for falling to an attack. Security gaps, known and unknown, led the list, ahead of thin staffing and weak protection. Human error was the one operational factor that grew.
The bill after the attack
Recovery costs went up. The average cost to clean up an attack, setting aside any ransom, reached $1.7 million over the past year, a rise of about a tenth on the previous report. The peak from two years back still sits above that. The median ran far lower, which means a handful of expensive cases pull the average up.
Costs spread across a wide range. Close to a fifth of organizations spent somewhere between half a million and a million dollars on cleanup, and a similar share ran into the millions.
Most victims got moving again fast. Over half were running inside a week, and the average recovery held at roughly three weeks.
What victims paid
Ransom demands came down hard. The typical demand landed just under $700,000, close to two-thirds lower across two years. Payments moved the same direction.
The median payment settled at $769,000, down from the year before. Just under half of payments cleared seven figures. Victims talked more of these down, and just over half paid less than the number the attacker first named. The typical settlement came in at close to nine-tenths of the opening demand.
Attackers size the demand to the target. The smallest firms got demands near six figures. The largest enterprises got demands running into the millions. That spread points to reconnaissance before the ransom note goes out.
Willingness to pay splits by sector. Local and state government paid most often, along with media and entertainment firms under pressure to restore public services fast. Retailers paid least, readier to ride out the outage and rebuild.
Backups did the heavy lifting
Backups carried more of the recovery this year. Organizations rebuilt backup systems after letting them slip the year before. Two-thirds of victims with encrypted data pulled their files back from backup, up from a bit over half a year earlier. The share paying a ransom to recover data fell to its lowest point in three years.
Almost every victim with locked files got something back. A small share lost their data for good.
Encryption rose again
Attackers regained ground on encryption. Data got locked in 56% of attacks, the first increase after two years of decline. About one in six cases involved both encryption and theft, which hands an attacker two ways to press for money.
Firewalls caught most of these attacks before the payload went off, and that early warning kept more data intact. The cases where the firewall missed entirely ended with the worst encryption rates.
The people left to clean it up
Ransomware wears on the staff who handle it. Almost every organization with encrypted data reported lasting effects on its security team. Stress about the next attack topped the list, followed by heavier pressure from the top.
One number stands out for careers. The leadership team was replaced after the attack in more than one in five cases.
One effect moved the other way. Recognition from senior leaders rose, the single measured impact that grew from the prior year, as boards paid closer attention after an incident.
Click Here For The Original Source.
