Fake Emails Now Beat Software Flaws as the Number-One Way Ransomware Gets In
A Sophos survey of more than 2,000 organisations hit by ransomware finds that phishing and malicious emails now cause half of all attacks, while stolen passwords are defeating even multi-factor authentication at an alarming rate.

Key points
- Sophos surveyed 2,158 IT and security leaders across 17 countries in organisations hit by ransomware in the past year, publishing results in its State of Ransomware 2026 report.
- Malicious email (26%) and phishing, where criminals send fake emails to trick staff into handing over passwords (24%), together caused half of all ransomware attacks surveyed.
- Exploiting software flaws fell from the top cause three years running to third place, dropping from 32% to 18% of attacks.
- Stolen login credentials caused 23% of attacks, and 97% of those victims already had multi-factor authentication switched on.
- 67% of ransomware victims said the attack was also the most serious identity-related incident they suffered that year.
For three years running, criminals broke into company networks by finding and exploiting unpatched software flaws. That era appears to be over.
Sophos, the cybersecurity company, published its State of Ransomware 2026 report this week. The findings, first reported by Dark Reading, are drawn from a survey of 2,158 IT and security leaders in organisations that suffered a ransomware attack, meaning an attack where criminals lock a company's files and demand payment to restore them, over the past year. Those organisations spanned 17 countries.
The headline shift: phishing and malicious emails now account for half of all ransomware entry points. Software vulnerabilities, long the dominant route in, fell sharply from 32% to 18%.
Why are stolen passwords beating multi-factor authentication?
Stolen login credentials caused 23% of attacks, making them the third most common entry point. What makes that figure striking is that 97% of those victims already had multi-factor authentication, commonly known as MFA, switched on. MFA is the extra step that asks users to confirm their identity a second way, such as approving a notification on their phone, after entering a password.
Sophos offers two explanations. First, MFA may not have been switched on across every system, leaving gaps. Second, criminals are developing ways to bypass certain types of MFA, particularly push-based methods where a user simply taps "approve" on a phone notification.
The most attack-resistant form, FIDO2 hardware tokens, which are physical keys that generate a code no fake website can copy, ranked only fourth in how commonly victims had deployed it.
"Every layer of defence, even if it can be bypassed, is a speed bump, an alert, or a potential clue to trigger a threat hunt," Chet Wisniewski, director and global field CISO at Sophos, told Dark Reading.
Sophos recommends organisations deploy MFA everywhere without exception, run regular checks on which accounts have access to what, and invest in identity threat detection, a discipline focused on spotting when a legitimate account is being used suspiciously rather than waiting to catch malware.
What affected employees and customers should do. If you work at an organisation, be sceptical of any email asking you to click a link or enter a password, even if it looks official. Report anything odd to your IT team. If you receive a breach notification letter from a company, change any password you share with that service elsewhere, and watch your bank statements and credit file for unusual activity over the next 12 months.



