Phishing is now the main entry point for ransomware
Phishing has overtaken all other vectors as the leading entry point for ransomware, cited by 35 percent of affected organizations, up sharply from 25 percent in 2024.
This is one of the findings of a new report from SpyCloud which also shows that 85 percent of organizations were affected by ransomware at least once in the past year, with nearly a third (31 percent) reporting six to 10 ransomware events in the last year.
The findings reflect the growing sophistication of phishing-as-a-service (PhaaS) and the use of adversary-in-the-middle (AitM) techniques to bypass multifactor authentication (MFA) and hijack active sessions.
“Phishing can no longer be seen as just a nuisance; it’s a primary launching point for ransomware and other identity-based attacks,” says Trevor Hilligoss, SpyCloud’s head of security research. “Attackers are using phishing kits to steal session cookies, bypass MFA, and impersonate users with alarming accuracy. The growth of commoditized tactics like PhaaS has made these capabilities available to even low-skill threat actors, which is why we’re seeing such a sharp spike in ransomware incidents tied directly to phishing. Organizations need real-time insight into the identity data these actors are harvesting -- and they need the ability to act on it.”
The rise of AI is also a concern with 92 percent of respondents acknowledging increased risk from AI-powered threats, yet only 47 percent using AI in their own security operations.
Infostealer malware remains a significant enabler of identity-based threats. The research finds nearly half of corporate users were victims of an infostealer infection on either a personal or corporate device at sometime in their digital history, and 66 percent of malware infections occurred on devices that had antivirus or EDR tools installed. Yet despite the scale of the threat, only 50 percent of organizations have visibility into infostealer malware infections on managed devices, and even fewer (48 percent) can detect them across both managed and unmanaged endpoints.
Despite growing awareness of ransomware and other infostealer-driven threats, many organizations still struggle to respond effectively. 86 percent of leaders say they have confidence in their ability to prevent ransomware, yet 85 percent were impacted by such incidents in the past year. Just 35 percent have workflows in place to remediate identity exposures, and only 33 percent have protocols in place for investigating identity-related incidents.
“Today’s threats are not limited to external actors. They often come from within, whether through malicious intent or compromised insiders,” says Damon Fleury, chief product officer at SpyCloud. “From phished employees to contractors using exposed credentials, insider threats are frequently enabled by identity exposures that security teams cannot see. This report makes it clear that organizations need to move beyond reactive, behavior-based defenses and adopt holistic identity protection strategies that close visibility gaps and neutralize risks before they can escalate.”
The full report is available from the SpyCloud site.
credit: Josepalbert13/Dreamstime.com