May 26, 2026 Swedish eTrade platform signs an agreement for vulnerability scanning
May 21, 2026 Swedish software producer signs agreement for continuous pentesting
May 20, 2026 Swedish CRM producer signs an agreement for continuous penetration testing
May 16, 2026 eBuilder signs an agreement for SOC/MDR with a TechHub
May 11, 2026 eBuilder signs an agreement for SOC/MDR and automated pentests with a company in the publishing business
May 8, 2026 eBuilder signs a pentest agreement with a leading petrochemical producer
April 8, 2026 eBuilder signs an agreement for MDR/SOC with a hotel business.
March 13, 2026 eBuilder signs an agreement for SOC-operations with a Swedish municipality.
Company News
Ransomware

Email Overtakes Software Flaws as the Top Ransomware Root Cause

Date July 17, 2026 / 5 Min Read

For the first time in four years, exploiting a software flaw is not the most common way ransomware gets into an organisation. Malicious email and phishing have taken the top spot, according to the State of Ransomware 2026 report Sophos published on 15 July. Together the two email-based vectors account for half of all incidents in the survey while exploited vulnerabilities fell to 18 percent, down from 32 percent a year earlier.

The figures come from a survey of 2,158 IT and security leaders across 17 countries, all of them at organisations hit by ransomware in the past 12 months. Malicious email was the root cause in 26 percent of cases and phishing in 24 percent. Compromised credentials held third place at 23 percent. Brute-force attacks stayed flat at 6 percent.

The 97 Percent That Should Worry Every Board

The detail that stands out sits inside the credential-theft number. Where stolen credentials were the way in, 97 percent of those victims already had multifactor authentication deployed in some form when they were breached. MFA was present and it did not stop the attack.

Two-thirds of victims, 67 percent, said the ransomware incident was the same event as the most serious identity attack they faced all year. Sophos puts the share of attacks that began with an identity-based approach at 79 percent. Identity, not the unpatched server, is now the front door.

Read the MFA Number Carefully

It would be easy to read “97 percent had MFA and were breached anyway” as proof that MFA is theatre. The data says something narrower. Sophos’s own incident-response arm, reporting separately in the 2026 Active Adversary Report on 661 real cases its analysts remediated, found MFA missing exactly where it mattered in 59 percent of them. SaaS accounts were usually covered but VPNs, firewall admin consoles and legacy applications often were not. The gap, not the control, is what attackers walked through.

There is a second gap the report is quieter about. The most common second factors victims had in place were one-time passwords and push notifications, both of which a competent phishing kit can defeat in real time. FIDO2 hardware tokens, the one method built to resist phishing, ranked only fourth. Sophos stopped short of naming a preferred type of MFA. The numbers make the case it did not, phishable MFA deployed unevenly is not the same defence as phishing-resistant MFA deployed everywhere.

Worth keeping in mind that this is a vendor survey and Sophos sells identity threat detection, email filtering, awareness training and zero-trust access, so every recommendation in the report maps neatly to a product it offers. What stops it from being pure marketing is that the survey and the incident-response data, gathered by different methods, point the same way. When self-reported victim numbers and forensic case data agree, the trend is real regardless of who is selling.

Where the Attacks Actually Land

The report maps initial compromise locations for the first time. Exposed applications and systems accounted for 38 percent, user devices 30 percent, firewalls 21 percent, VPNs 8 percent and IoT devices 3 percent. Firewalls punch above their weight on cost, when an attack starts by exploiting a firewall flaw, 59 percent of the ransom demands run to a million dollars or more, against a 48 percent baseline across all attacks. A compromised firewall hands over the whole network and the demands reflect it.

What Changes on Monday

Start with coverage, not new tools. Audit every authentication point, VPNs, firewall consoles, remote-access gateways and legacy apps included and confirm MFA is actually enforced on each one rather than assumed. Move privileged and remote access to FIDO2 or passkeys. Because email is now the number-one entry point, DMARC, DKIM and SPF plus regular phishing training belong at the top of the budget, not the bottom.

Chet Wisniewski, global field CISO at Sophos, told Dark Reading the best-performing organisations practise what he calls aggressive defence in depth. “Every layer of defense, even if it can be bypassed, is a speed bump, an alert or a potential clue to trigger a threat hunt,” he said, pointing to segmentation, zero-trust network access in place of legacy VPNs and round-the-clock detection and response. None of it is new. Most of it is still not done.

The Compliance Clock Is Already Running

For Swedish organisations this is not just operational advice. Cybersäkerhetslagen, Sweden’s transposition of the EU NIS2 Directive, entered into force on 15 January 2026 and requires in-scope entities to run cybersecurity risk-management measures that explicitly include MFA, access control and incident handling. Registration with MCF (formerly MSB) opened in February. Essential entities face fines of up to 10 million euro or 2 percent of global turnover, important entities up to 7 million euro or 1.4 percent. A phishing-led threat picture moves email filtering and staff awareness training from good practice into evidence a supervisory authority may one day ask to see.

The organisations losing this fight are the smaller ones. Only 34 percent of firms with 100 to 250 employees stopped an attack before their data was encrypted, against 46 percent at companies ten times their size. Scale is buying defensive outcomes that smaller teams cannot match on headcount alone. For them, closing the MFA coverage gap is not the advanced option. It is the cheapest one still available.

References

  1. Identity Attacks Overtake Exploits as Top Ransomware Cause
  2. The State of Ransomware 2026: Payments Drop as Encryption Climbs
  3. New Cybersecurity Act enters into force in Sweden

This post is also available in: Svenska