• Home
  • cyber
  • Sophos: Ransomware activity peaks outside business hours
cyber Cyber Attack

Sophos: Ransomware activity peaks outside business hours

Nov 1, 2024 2 min read
Sophos: Ransomware activity peaks outside business hours

Sophos Report: Credential Compromise Dominates Cyber Intrusions as Attackers Exploit Identity Weaknesses

A new Sophos Active Adversary Report analyzing 661 incident response cases between November 2024 and October 2025 reveals that identity-related attacks including phishing, brute force, and credential theft accounted for 67% of initial access vectors across organizations in 70 countries. The findings underscore how attackers increasingly bypass traditional security measures by targeting authentication systems rather than exploiting software vulnerabilities.

Once inside, threat actors move rapidly to compromise Active Directory (AD), with a median time of 3.4 hours from initial access to directory-level infiltration. AD remains a prime target due to its control over authentication, authorization, and enterprise-wide policies, enabling attackers to escalate privileges and expand access.

The report also highlights dwell time trends, with a median of three days between intrusion and detection. This window allows attackers to conduct reconnaissance, harvest credentials, and prepare for ransomware or data exfiltration. Notably, 88% of ransomware deployments and 79% of data theft incidents occurred outside standard business hours, exploiting reduced staffing and monitoring gaps.

While generative AI has influenced cyber threats improving phishing lures, scaling campaign volume, and lowering technical barriers it has not yet led to fully autonomous attacks. Instead, AI acts as a force multiplier, enhancing existing tactics like credential theft and social engineering without fundamentally altering attack methods.

The data confirms that identity compromise remains the dominant entry point, with attackers prioritizing speed and stealth to maximize impact before detection.

Source: https://www.helpnetsecurity.com/2026/02/27/sophos-identity-driven-breaches-report/

Sophos cybersecurity rating report: https://www.rankiteo.com/company/sophos

"id": "SOP1772187995",
"linkid": "sophos",
"type": "Cyber Attack",
"date": "11/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'location': '70 countries', 'type': 'organizations'}],
 'attack_vector': ['phishing', 'brute force', 'credential theft'],
 'data_breach': {'data_exfiltration': True,
                 'sensitivity_of_data': 'high',
                 'type_of_data_compromised': ['credentials',
                                              'authentication data']},
 'description': 'A new Sophos Active Adversary Report analyzing 661 incident '
                'response cases between November 2024 and October 2025 reveals '
                'that identity-related attacks including phishing, brute '
                'force, and credential theft accounted for 67% of initial '
                'access vectors across organizations in 70 countries. '
                'Attackers increasingly bypass traditional security measures '
                'by targeting authentication systems rather than exploiting '
                'software vulnerabilities. Once inside, threat actors move '
                'rapidly to compromise Active Directory (AD), with a median '
                'time of 3.4 hours from initial access to directory-level '
                'infiltration. AD remains a prime target due to its control '
                'over authentication, authorization, and enterprise-wide '
                'policies. The report highlights dwell time trends, with a '
                'median of three days between intrusion and detection, '
                'allowing attackers to conduct reconnaissance, harvest '
                'credentials, and prepare for ransomware or data exfiltration. '
                '88% of ransomware deployments and 79% of data theft incidents '
                'occurred outside standard business hours. Generative AI has '
                'influenced cyber threats by improving phishing lures, scaling '
                'campaign volume, and lowering technical barriers but has not '
                'yet led to fully autonomous attacks.',
 'impact': {'data_compromised': True,
            'identity_theft_risk': True,
            'systems_affected': ['Active Directory']},
 'lessons_learned': 'Identity compromise remains the dominant entry point, '
                    'with attackers prioritizing speed and stealth to maximize '
                    'impact before detection. Active Directory is a prime '
                    'target for privilege escalation and lateral movement.',
 'motivation': ['financial gain', 'data theft'],
 'post_incident_analysis': {'root_causes': ['identity weaknesses',
                                            'insufficient monitoring during '
                                            'off-hours']},
 'ransomware': {'data_exfiltration': True},
 'references': [{'source': 'Sophos Active Adversary Report'}],
 'title': 'Sophos Report: Credential Compromise Dominates Cyber Intrusions as '
          'Attackers Exploit Identity Weaknesses',
 'type': ['credential compromise', 'ransomware', 'data exfiltration'],
 'vulnerability_exploited': 'identity weaknesses'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.