Jessica Entwistle
July 16 2026
New research published by Dark Reading on 15 July 2026 shows that identity-based attacks, primarily through compromised credentials and phishing, have overtaken software vulnerabilities as the most common root cause of ransomware incidents. The analysis, based on incident response data from 2025, found that email-based credential theft and abuse of legitimate access now account for the majority of successful ransomware deployments. Significantly, the research also found that multifactor authentication was deployed in 97 per cent of cases where credentials were used to gain access, but still failed to prevent compromise, often due to MFA fatigue attacks, legacy protocols that bypass MFA, or attackers using session tokens rather than passwords.
This represents a significant shift in how ransomware groups are operating and what organisations need to prioritise in their defences. Rather than spending time finding and exploiting unpatched vulnerabilities, attackers are increasingly focusing on stealing or tricking users into handing over legitimate credentials, then using those credentials to move through an environment in ways that look like normal business activity. The fact that MFA was present in nearly all cases but did not stop the attack highlights that identity security is about more than just enabling a second factor. It requires understanding how authentication is enforced across different systems, whether legacy access routes still exist, and whether monitoring is in place to detect unusual patterns of legitimate credential use. For UK businesses, this means that investment in patching and vulnerability management, while still important, needs to be balanced with stronger focus on identity protection, user awareness and detection of credential abuse.
Organisations should review how identity is protected beyond the initial login. Consider whether MFA is enforced consistently across all access methods, including VPN, remote desktop, cloud applications and administrative access. Check whether legacy authentication protocols such as basic authentication or NTLM have been disabled where possible. Review whether there is visibility into how credentials are being used after authentication, including monitoring for unusual access patterns, access from unexpected locations, or access to systems that a user does not normally use. This is also a reminder that user awareness of phishing and social engineering remains a critical layer of defence, and that training should focus on helping users recognise and report suspicious requests for credentials or MFA approval. For organisations that have experienced a rise in MFA fatigue attacks, consider whether policies around MFA prompts need to be reviewed or whether number matching or other anti-fatigue controls should be implemented.
Source: Dark Reading