Daylila

Cybersecurity · Thursday, 16 July 2026

01 · Briefing · what happened

The password beat the exploit — stolen logins are now the top way ransomware gets in

Cybersecurity 5 min 43 sources

New survey data shows the share of ransomware break-ins that start with a software flaw fell by nearly half, while attacks that start with a stolen or guessed login now dominate — and even accounts with a second lock kept falling.

Key takeaways

  • Stolen and guessed passwords have overtaken software flaws as the top way ransomware gets into a network — the attack moved to the cheaper route.
  • Even accounts with a second login check kept falling, because the check was incomplete or the weaker kind; turn it on everywhere and prefer an app or passkey over text-message codes.
  • Software exploits still matter — a heavy patch week included actively exploited SonicWall and Windows zero-days — but the everyday risk to most people is a reused or leaked password.

For years the story of a ransomware attack was a clever exploit: someone found a hole in your software and slipped through before it was patched. That is no longer the main way in. New figures suggest attackers have quietly switched to the cheaper route — logging in with a password they stole or guessed.

The front door is now a password

Ransomware is malware that locks up an organisation’s files and demands payment to unlock them. According to a survey of 2,158 cybersecurity leaders run by the security firm Sophos, the way that malware first gets onto the network has shifted sharply [10][12].

The share of ransomware attacks that began with an attacker exploiting a known software flaw fell from 32% in 2025 to 18% this year [10]. Meanwhile, phishing — tricking someone into handing over a login, usually through a fake email — was the starting point in 24% of cases, up from 18% [10]. Brute-force attacks, where software guesses weak or common passwords by trial and error, accounted for another 23%, and stolen credentials for a further 23% [10][12]. Add the login-based methods together and they now dwarf software exploits.

The most uncomfortable finding sits underneath that number. In 97% of the cases where a compromised login was the root cause, the account already had multi-factor authentication turned on — a second check beyond the password, like a code or a tap on your phone [12]. It failed anyway. Sophos suggests the problem was not the idea of a second lock but the gaps in it: coverage that missed some accounts, or a weaker form of it that attackers could work around [12]. Its own advice was to enforce that second check across every access point and to keep a full inventory of who — and what — can log in [12].

For an ordinary person, the lesson is the same at home. Turn on that second check everywhere it is offered, prefer an app or a passkey over a text-message code, and stop reusing passwords — a login leaked from one old site is exactly the cheap key attackers reach for.

Where the cheap keys come from

Stolen logins are cheap because there is an industry that produces them. Researchers this week described a long-running phishing operation that rotates its bait with the calendar — tax and benefits themes in winter, greeting-card invitations in spring — across 959 fake domains [23]. A victim who clicks is quietly screened, shown a fake greeting-card page, and after a three-second delay served a download that installs remote-control software on their machine [23].

Law enforcement is going after the supply side too. US prosecutors this week charged several Russian individuals and firms accused of running cybercrime services for hire — the paid tools and infrastructure that let others break in [15]. Treating the break-in as a marketplace, rather than a lone genius, is closer to how it actually works.

The expensive route is still open

None of this means software flaws are safe to ignore — the pricier path is still being walked. SonicWall, which makes network security appliances, warned that attackers were actively exploiting two zero-day flaws in its products before a fix existed; a zero-day is a hole the maker does not yet know about, so there is no patch and attackers have a clear run [5]. Researchers at Rapid7 said the two flaws were first exploited on June 22 and appeared aimed at planting ransomware [5]. The US Cybersecurity and Infrastructure Security Agency (CISA), the government’s cyber-defence body, added both to its list of flaws known to be under attack [5].

It was a heavy patch week generally. Microsoft shipped fixes for a record 622 vulnerabilities, including two already being exploited [1]. Separately, researchers published a Windows zero-day that lets a low-privilege user hijack an administrator’s account by tampering with a registry setting — no need to be an admin yourself [20]. CISA also urged administrators to patch actively exploited flaws in SharePoint, Microsoft’s document-sharing server; the watchdog group Shadowserver counts nearly 10,000 exposed SharePoint servers online, with more than 800 still unpatched [21]. Fortinet, Ivanti and ServiceNow together fixed 15 flaws, including a critical bug in ServiceNow’s AI platform that a remote attacker could use to run code with no login at all [2]. Chrome and Firefox pushed critical browser fixes as well [1][3].

When the bill comes due

The cost of a breach often lands long after the break-in — and on people who were never in the room for the security decisions. The law firm WilmerHale was hit with a class-action lawsuit this week over a cyberattack that allegedly exposed names and Social Security numbers; the plaintiff called it “massive and preventable” [14]. The firm said an unauthorised third party targeting the legal industry obtained a limited set of information and did not directly access its network [14].

The most under-reported story of the week was also the most sobering. Reuters reported that documents relating to Kudankulam, India’s largest nuclear power plant, were exposed in a data breach — including an insurance policy and material that researchers said could help an adversary map the plant’s support systems and suppliers [9]. No safety systems were reported affected, and it is the second cyber incident linked to the plant since malware tied to a North Korean group was found on its administrative network in 2019 [9]. India now ranks third in the world for accounts exposed in breaches, with 28.9 million last year, and one Indian survey found 73% of organisations were unaware whether they had ever been attacked [9].

02 · Lesson · why it matters

You don't have to be unbreakable. You have to be expensive.

Attackers don't pick the hardest target or the cleverest trick — they pick the cheapest way in that still works.

The clever hacker is mostly a myth

Picture a break-in and you probably picture skill: someone finding a flaw nobody else spotted, slipping through before anyone can react. That story sells films. It is not what the numbers show. This year, the most common way ransomware got onto a network was not a genius exploit. It was a password — stolen from an old leak, or simply guessed because it was weak.

The share of attacks that started with a software flaw fell by nearly half. The share that started with a login rose to take its place. The front door isn’t being picked. It’s being unlocked with a key someone bought cheap.

Attackers are economists

To understand why, stop thinking of the attacker as a hacker and start thinking of them as a buyer. They have costs — time, tools, skill — and a payoff they’re chasing. Like any buyer, they take the option with the best return.

Finding a fresh software flaw and turning it into a working break-in is expensive. It takes rare skill, and the moment it’s used it starts to rot, because someone patches it. A stolen password is the opposite: cheap, sold in bulk from years of old breaches, and often still working because people reuse them. When defenders made the expensive route more expensive — patching faster, hardening systems — the attacks didn’t stop. Buyers simply switched to the cheaper input. Raise the price of one route and demand moves to the next-cheapest. The market doesn’t shrink; it substitutes.

So perfect is the wrong goal

Here is where it turns useful. If attackers buy the cheapest way in that works, then defence was never about being impossible to breach. Nothing is. It’s about not being the cheapest thing on the shelf.

A second lock on your account — a code, a tap on your phone, a passkey — does not make you unbreakable. What it does is raise the price of coming through you above the payoff, or above the cost of the account sitting next to yours. And that is usually enough. The attacker isn’t personally interested in you. They’re comparing prices. Cost more than you’re worth, and they move on to someone who costs less. Security is pricing, not perfection.

But a price is only as high as its cheapest gap

There’s a catch, and the data makes it sharp. In nearly every break-in that began with a stolen login, a second lock was already there. It still failed. Not because the idea was wrong, but because the lock was partial — bolted to the front door and forgotten on the side one, or a weaker version an attacker could slip around.

That’s the trap. You are only as expensive as your cheapest open door. One account left on the old, low price sets the price of the whole estate, because the buyer always shops your minimum. “I have a second lock” is not the finish line. “Every door has one, and it’s the strong kind” is. Fortifying the door that was already dear feels like progress and changes nothing — the attacker was never going to use it.

You are a price in this market

It’s tempting to read all this as a story about companies. It isn’t only that. Your reused password, your email with no second check, the text-message code that can be intercepted — each is a number in the same market, and your habits set how low it is. You don’t get to opt out of being priced. Everyone with an account is on the shelf.

The question quietly changes from “am I a target?” to “am I cheap?” And the answer is mostly in ordinary moves — a second check on every account, a different password for each, a passkey where it’s offered. None of them makes you safe. Each of them makes you cost more than you’re worth to whoever’s shopping.

Someone else set your starting price

Notice, too, what was decided before you arrived. Whether your account even offers a second lock, and whether it’s the strong kind or a weak text-message code, is mostly chosen by the company that built the service — often shipped off by default, or offered only in the flimsy version. Those defaults set your opening price without asking you. It suits the maker: fewer support calls, faster signups. It can still leave you cheaper than you would have chosen. Seeing that isn’t blame. It’s noticing that the answer to “how expensive am I?” was partly written by someone who will never meet you.

The honest goal is smaller than safety

No single account holder can see this whole market — where the leaked passwords circulate, what a working login sells for this week, which door someone forgot to lock. Neither can the best security team. The system is too wide, and everyone sits inside it, holding one corner.

So the honest aim isn’t to be safe, which no one can promise. It’s to cost more than you’re worth to whoever happens to be shopping — a smaller, truer goal than “unbreakable,” and one worth holding loosely, because the price of coming after you is set in a market you’ll never fully see.

03 · Lab · your turn

Set Your Price

Rehearse defending your accounts by raising your cheapest way in above what you're worth — attackers shop the minimum, so perfection isn't the goal, being expensive is.

04 · Hope · carry this

Attackers switched to cheap stolen passwords because the harder way in got harder — quiet proof that years of patching and hardening have been working. And pricing yourself off the shelf takes nothing clever: a second lock and a different password, turned on everywhere, done fully.

Across the beats