A new report from Sophos, The State of Ransomware 2026, paints a picture of a threat landscape in flux. Based on responses from 2,158 IT and security leaders across 17 countries, the seventh annual survey shows organisations paying less to attackers, recovering data faster, and negotiating harder even as the overall cost and frequency of successful breaches continue to climb.
Email, not bugs, is the new front door
For three years running, exploited software vulnerabilities were the top cause of ransomware attacks. That’s no longer true. This year, malicious email (26%) and phishing (24%) overtook technical exploits (18%) as the leading entry points. Compromised credentials remained a steady factor at 23%. Altogether, 79% of attacks began with some form of identity-based intrusion stolen or abused login credentials making identity security, not just patching, the new frontline of defence.
Reinforcing this, two-thirds of victims (67%) said their ransomware incident was the very same event as their most significant identity breach. Even more strikingly, 97% of organisations hit through compromised credentials already had multi-factor authentication turned on somewhere in their environment proof that MFA alone isn’t a silver bullet unless it’s deployed comprehensively.
Attacks are succeeding more often
After two years of improvement, encryption success rates ticked back up to 56%, from a low of 50% in 2025. Sixteen per cent of victims had data both encrypted and stolen a dangerous combination that gives criminals extra leverage. Firewalls proved valuable early-warning tools: when they flagged an attack before ransomware was deployed, encryption succeeded only half the time, compared with 71% when firewalls missed it entirely.
Smaller payments, faster recoveries
The financial picture is more encouraging. The median ransom demand fell sharply to $698,000, down 65% over two years, and the median payment dropped to $769,000. Victims are also getting tougher negotiators; 51% paid less than the original demand. Backup-based recovery surged to 66% of encrypted-data cases, up from 54% last year, while just 48% of victims felt compelled to pay a ransom at all, the lowest rate in three years.
Yet recovery itself isn’t cheap: the average cost to clean up after an attack, excluding any ransom, hit $1.7 million, an 11% jump from 2025.
The human toll
Perhaps the report’s most sobering finding: 99% of organisations that suffered an encryption incident reported lasting effects on their security teams, ranging from rising anxiety (41%) to leadership shake-ups (21%). One bright spot: recognition from senior leadership rose to 36%, suggesting boardrooms are finally paying closer attention.
Sophos’s takeaway is clear: as AI accelerates both attacks and defences, organisations that unify identity protection, email security, and backup resilience rather than treating them as separate problems will be best positioned for the fights ahead.
