Cybersecurity · Thursday, 16 July 2026
01 · Briefing · what happened
The password beat the exploit — stolen logins are now the top way ransomware gets in
New survey data shows the share of ransomware break-ins that start with a software flaw fell by nearly half, while attacks that start with a stolen or guessed login now dominate — and even accounts with a second lock kept falling.
Key takeaways
- Stolen and guessed passwords have overtaken software flaws as the top way ransomware gets into a network — the attack moved to the cheaper route.
- Even accounts with a second login check kept falling, because the check was incomplete or the weaker kind; turn it on everywhere and prefer an app or passkey over text-message codes.
- Software exploits still matter — a heavy patch week included actively exploited SonicWall and Windows zero-days — but the everyday risk to most people is a reused or leaked password.
For years the story of a ransomware attack was a clever exploit: someone found a hole in your software and slipped through before it was patched. That is no longer the main way in. New figures suggest attackers have quietly switched to the cheaper route — logging in with a password they stole or guessed.
The front door is now a password
Ransomware is malware that locks up an organisation’s files and demands payment to unlock them. According to a survey of 2,158 cybersecurity leaders run by the security firm Sophos, the way that malware first gets onto the network has shifted sharply
The share of ransomware attacks that began with an attacker exploiting a known software flaw fell from 32% in 2025 to 18% this year
The most uncomfortable finding sits underneath that number. In 97% of the cases where a compromised login was the root cause, the account already had multi-factor authentication turned on — a second check beyond the password, like a code or a tap on your phone
For an ordinary person, the lesson is the same at home. Turn on that second check everywhere it is offered, prefer an app or a passkey over a text-message code, and stop reusing passwords — a login leaked from one old site is exactly the cheap key attackers reach for.
Where the cheap keys come from
Stolen logins are cheap because there is an industry that produces them. Researchers this week described a long-running phishing operation that rotates its bait with the calendar — tax and benefits themes in winter, greeting-card invitations in spring — across 959 fake domains
Law enforcement is going after the supply side too. US prosecutors this week charged several Russian individuals and firms accused of running cybercrime services for hire — the paid tools and infrastructure that let others break in
The expensive route is still open
None of this means software flaws are safe to ignore — the pricier path is still being walked. SonicWall, which makes network security appliances, warned that attackers were actively exploiting two zero-day flaws in its products before a fix existed; a zero-day is a hole the maker does not yet know about, so there is no patch and attackers have a clear run
It was a heavy patch week generally. Microsoft shipped fixes for a record 622 vulnerabilities, including two already being exploited
When the bill comes due
The cost of a breach often lands long after the break-in — and on people who were never in the room for the security decisions. The law firm WilmerHale was hit with a class-action lawsuit this week over a cyberattack that allegedly exposed names and Social Security numbers; the plaintiff called it “massive and preventable”
The most under-reported story of the week was also the most sobering. Reuters reported that documents relating to Kudankulam, India’s largest nuclear power plant, were exposed in a data breach — including an insurance policy and material that researchers said could help an adversary map the plant’s support systems and suppliers
02 · Lesson · why it matters
You don't have to be unbreakable. You have to be expensive.
Attackers don't pick the hardest target or the cleverest trick — they pick the cheapest way in that still works.
The clever hacker is mostly a myth
Picture a break-in and you probably picture skill: someone finding a flaw nobody else spotted, slipping through before anyone can react. That story sells films. It is not what the numbers show. This year, the most common way ransomware got onto a network was not a genius exploit. It was a password — stolen from an old leak, or simply guessed because it was weak.
The share of attacks that started with a software flaw fell by nearly half. The share that started with a login rose to take its place. The front door isn’t being picked. It’s being unlocked with a key someone bought cheap.
Attackers are economists
To understand why, stop thinking of the attacker as a hacker and start thinking of them as a buyer. They have costs — time, tools, skill — and a payoff they’re chasing. Like any buyer, they take the option with the best return.
Finding a fresh software flaw and turning it into a working break-in is expensive. It takes rare skill, and the moment it’s used it starts to rot, because someone patches it. A stolen password is the opposite: cheap, sold in bulk from years of old breaches, and often still working because people reuse them. When defenders made the expensive route more expensive — patching faster, hardening systems — the attacks didn’t stop. Buyers simply switched to the cheaper input. Raise the price of one route and demand moves to the next-cheapest. The market doesn’t shrink; it substitutes.
So perfect is the wrong goal
Here is where it turns useful. If attackers buy the cheapest way in that works, then defence was never about being impossible to breach. Nothing is. It’s about not being the cheapest thing on the shelf.
A second lock on your account — a code, a tap on your phone, a passkey — does not make you unbreakable. What it does is raise the price of coming through you above the payoff, or above the cost of the account sitting next to yours. And that is usually enough. The attacker isn’t personally interested in you. They’re comparing prices. Cost more than you’re worth, and they move on to someone who costs less. Security is pricing, not perfection.
But a price is only as high as its cheapest gap
There’s a catch, and the data makes it sharp. In nearly every break-in that began with a stolen login, a second lock was already there. It still failed. Not because the idea was wrong, but because the lock was partial — bolted to the front door and forgotten on the side one, or a weaker version an attacker could slip around.
That’s the trap. You are only as expensive as your cheapest open door. One account left on the old, low price sets the price of the whole estate, because the buyer always shops your minimum. “I have a second lock” is not the finish line. “Every door has one, and it’s the strong kind” is. Fortifying the door that was already dear feels like progress and changes nothing — the attacker was never going to use it.
You are a price in this market
It’s tempting to read all this as a story about companies. It isn’t only that. Your reused password, your email with no second check, the text-message code that can be intercepted — each is a number in the same market, and your habits set how low it is. You don’t get to opt out of being priced. Everyone with an account is on the shelf.
The question quietly changes from “am I a target?” to “am I cheap?” And the answer is mostly in ordinary moves — a second check on every account, a different password for each, a passkey where it’s offered. None of them makes you safe. Each of them makes you cost more than you’re worth to whoever’s shopping.
Someone else set your starting price
Notice, too, what was decided before you arrived. Whether your account even offers a second lock, and whether it’s the strong kind or a weak text-message code, is mostly chosen by the company that built the service — often shipped off by default, or offered only in the flimsy version. Those defaults set your opening price without asking you. It suits the maker: fewer support calls, faster signups. It can still leave you cheaper than you would have chosen. Seeing that isn’t blame. It’s noticing that the answer to “how expensive am I?” was partly written by someone who will never meet you.
The honest goal is smaller than safety
No single account holder can see this whole market — where the leaked passwords circulate, what a working login sells for this week, which door someone forgot to lock. Neither can the best security team. The system is too wide, and everyone sits inside it, holding one corner.
So the honest aim isn’t to be safe, which no one can promise. It’s to cost more than you’re worth to whoever happens to be shopping — a smaller, truer goal than “unbreakable,” and one worth holding loosely, because the price of coming after you is set in a market you’ll never fully see.
03 · Lab · your turn
Set Your Price
Rehearse defending your accounts by raising your cheapest way in above what you're worth — attackers shop the minimum, so perfection isn't the goal, being expensive is.
04 · Hope · carry this
Attackers switched to cheap stolen passwords because the harder way in got harder — quiet proof that years of patching and hardening have been working. And pricing yourself off the shelf takes nothing clever: a second lock and a different password, turned on everywhere, done fully.
More from Cybersecurity