Sophos State of Ransomware Report: A Step Ahead of Attackers
Sophos has released its annual report analysing the big time cyber disruptor of business operations – ransomware.
The State of Ransomware report by Sophos surveyed IT and cybersecurity leaders across 17 countries to assess the business preparedness against this threat and what collective defence looks like.
Accounting for four in five ransomware intrusions at 79%, identity is the biggest initial access vector (IAV), the report reveals.
Breaking the record held by exploited vulnerabilities, for the first time in four years they are no longer the most common root cause, as malicious email (26%) and phishing (24%) steal the top spots.
But vulnerabilities still have bigger price tags attached to them. Data shows that 59% of ransom demands that start with an exploited vulnerability on the firewall go for US$1m or more. This is in comparison to 48% of all attacks.
āAs we see ransomware criminals experiment with AI, it has the potential to accelerate their ability to steal valuable assets, hold them hostage and do it at a scale that exceeds their previous capability,ā says Ross McKerchar, Chief Information Security Officer at Sophos.
“This speed requires careful round-the-clock monitoring of the most exploited means of entry, which our data shows to be stolen and compromised valid accounts.
“However, the improvement of unguarded open-weight AI models will give attackers a growing advantage in finding and exploiting software vulnerabilities.
“Defenders cannot rely on patching alone to keep pace, so reducing external exposure and maintaining strong endpoint protection is essential.”
The ransomware landscape
An overwhelming majority of ransomware victims (67%) say that ransomware incident was also their biggest identity attack, revealing the invisible link between identity compromise as a primary ransomware delivery mechanism.
Data encryption is another striking figure, with 56% of attacks successful in encrypting data. This mix includes 16% of cases where data was both encrypted and stolen.
Looking at past trends, the success rate of encryption is up from 2025, when it was 50%, but still much lower than the 75% peak it touched back in 2023.
The attractiveness of encryption to attackers is in the fact that they have a 50-50 chance of being paid ransom when business data is encrypted. The four year average ransom payment rate hence stands at the perfect divide of 50%.
As a small business with 100-250 employees, the risk is higher as only 34% of such organisations were able to stop attacks before encryption or extortion.
The improvement of unguarded open-weight AI models will give attackers a growing advantage in finding and exploiting software vulnerabilities
Of all the countries, the UK had the highest median ransom demand recorded at US$2.5m.
How to stay safe from ransomware?
For all the community stresses about the importance of multi-factor authentication (MFA), 97% of incidents where compromised credentials led to the intrusion already had MFA deployed. The verdict is clear, MFA alone is not going to stop ransomware.
With identity being the most common cause of entry, the report notes that organisations should prioritise Identity Threat Detection and Response (ITDR) frameworks, reinforce phishing-resistant MFA across all access points and regularly audit both human and non-human identities.
Back-up and recovery infrastructure is a necessity and it needs to be tested regularly, stored offline or in immutable formats and must be integrated into the organisationās incident response plan.
Rigorous patching schedules, prioritising the organisationās internet-facing assets can help them stay ahead, with AI-assisted tools that can help them identify and remediate vulnerabilities sooner.
One key thing not to forget is the firewall itself. Enterprises should ensure that their firewall receives rapid updates, which are ideally automated. These can then be hooked on to MDR and XDR solutions to enable firewall telemetry that can detect ransomware attacks before payloads are deployed.
āOrganisations have strengthened their ransomware resilience in the past year and those investments are largely paying off,ā the Sophos CISO notes.
- Accounting for four in five ransomware intrusions at 79%, identity is the biggest initial access vector (IAV)
- 59% of ransom demands that start with an exploited vulnerability on the firewall go for US$1m or more
- 56% of attacks were successful in encrypting data
- 97% of incidents where compromised credentials led to the intrusion already had MFA deployed
“However, ransomware continues to cost organisations millions. As AI becomes more capable, attackers will be able to enumerate identity misconfigurations and weak points across organizations far more cheaply and quickly than before.
“Organisations can no longer rely on complexity or obscurity to hide gaps in their environment.
“The same technology also gives defenders an opportunity to find and fix those gaps faster, but only if prevention, detection and response work together as part of a unified cybersecurity strategy.”




