Identity Attacks Surge as Ransomware Groups Proliferate
Event summary
- 67% of incidents investigated by Sophos in 2025 were rooted in identity-related attacks, up from previous years.
- Median dwell time for attackers declined to three days, driven by faster attacker movements and defender reactions.
- Akira and Qilin were the most active ransomware brands, with 51 ransomware brands observed in total.
- 88% of ransomware payloads were deployed during non-business hours, highlighting timing as a key factor.
- Missing logs due to data retention issues doubled over the past year, undermining defense efforts.
The big picture
The 2026 Sophos Active Adversary Report highlights a strategic shift in cyber threats, with identity attacks overtaking traditional vulnerabilities as the primary entry point. The rise of new ransomware groups and the persistence of off-hours attacks underscore the need for continuous monitoring and proactive identity security measures. As the threat landscape expands, organizations must prioritize telemetry and rapid response to stay ahead of evolving tactics.
What we're watching
- Identity Security
- How organizations will adapt to the surge in identity-related attacks, particularly through stronger MFA and telemetry improvements.
- Ransomware Evolution
- Whether the proliferation of ransomware groups will lead to more sophisticated attacks or fragmented capabilities.
- Defensive Capabilities
- The pace at which organizations can implement 24/7 monitoring and retain critical security logs to enhance detection and response.
Related topics