Are ransomware and encryption still the defining signs of modern cyberattacks, or has the industry become so focused on the noise that it has missed the more dangerous changes happening quietly around it?
According to Picus Labs’ new Red Report 2026, which analyzed more than 1.1 million malicious files and mapped 15.5 million hostile acts observed in 2025, attackers are no longer optimizing for disruption. Instead, their goal now lies in long-term invisible access.
To be clear, ransomware is not going away and attackers continue to innovate. However, the data clearly shows a strategic shift away from loud and destructive attacks to techniques designed to evade detection, persist within the environment, and quietly exploit identities and trusted infrastructure. Rather than infiltrating and burning down systems, today’s attackers increasingly act like digital parasites. They reside within the host, utilize credentials and services, and remain as undetectable as possible.
Public attention often focuses on dramatic power outages and visible effects. This year’s Red Report data tells a quiet story that reveals where defenders are actually losing sight.
Ransomware signals are fading
For the past decade, ransomware encryption has served as the clearest signal of cyber risk. Compromises were undeniable when the system hung and operation froze.
That signal is now losing its relevance. Year over year, data encrypted for impact (T1486) decreased by 38%, from 21.00% in 2024 to 12.94% in 2025. This decrease does not indicate a decline in the attacker’s capabilities. It rather reflects a deliberate change in strategy.
Rather than locking up data and forcing payment, threat actors are turning to data extortion as their primary monetization model. By bypassing encryption, the attacker keeps the system operational while:
Quietly exfiltrate sensitive data Collect credentials and tokens Remain embedded in the environment for long periods of time Apply pressure later with extortion rather than disruption
The implication is clear. Impact is not defined by a locked system, but by how long an attacker can maintain access inside a host’s system without being detected.
“Adversaries’ business models have shifted from immediate disruption to long-term access.” – Pixled Report 2026
Credential theft becomes the control plane (1 in 4 attacks)
As attackers move toward long-term stealth persistence, identity becomes the most reliable means of control.
Red Report 2026 shows that credentials from password stores (T1555) appeared in nearly one in four attacks (23.49%), making credential theft one of the most common behaviors observed last year.
Rather than relying on noisy credential dumping or complex exploit chains, attackers are increasingly extracting stored credentials directly from browsers, keychains, and password managers. Once you have valid credentials, privilege escalation and lateral movement is usually possible with little use of native management tools.
More and more modern malware campaigns act like digital parasites. There are no alarms or crashes, and no obvious indicators. Just an eerie silence.
This same logic shapes attacker techniques more broadly.
80% of top ATT&CK techniques now prioritize stealth
Despite the breadth of the MITER ATT&CK® framework, real-world malware activity continues to be concentrated around a small number of techniques where evasion and persistence are increasingly prioritized.
Red Report 2026 reveals a clear imbalance. Eight of the top 10 MITER ATT&CK techniques currently specialize primarily in evasion, persistence, or stealth command and control. This represents the highest concentration of stealth-focused tradecraft ever recorded by Picus Labs and represents a fundamental shift in attacker success metrics.
Rather than prioritizing immediate impact, modern attackers are optimizing to maximize dwell time. Technologies that allow attackers to hide, infiltrate, and remain operational for long periods of time now outnumber those aimed at destruction.
Below are some of the most commonly observed behaviors in this year’s report.
T1055 – Process injection allows malware to execute within a trusted system process, making it difficult to distinguish between malicious activity and legitimate execution. T1547 – Auto-initiated execution of boot or logon ensures persistence by surviving reboots and user logins. T1071 – Application layer protocols provide a “whisper channel” for command and control, mixing attacker traffic with regular web and cloud communications. T1497 – Virtualization and sandbox evasion allow malware to detect the analysis environment and refuse to execute if it suspects it is being monitored.
The combined effect is powerful. Legitimate-looking processes operate silently on widely trusted channels using legitimate tools. While signature-based detection becomes extremely difficult in this environment, behavioral analysis becomes increasingly important to identify illegal activities that are intentionally designed to appear normal.
Encryption once defined an attack; now stealth defines a successful attack.
Self-aware malware refuses analysis
When stealth becomes the primary measure of success, avoiding detection is no longer enough. Additionally, attackers must prevent tools that defenders rely on to monitor malicious behavior from starting in the first place. Red Report 2026 makes this clear with the rise of virtualization and sandbox evasion (T1497), which ranks as the top tradecraft for attackers in 2025.
Modern malware increasingly evaluates where it is before deciding whether to act. Rather than relying on simple artifact checks, some samples evaluate execution context and user interaction to determine whether they are actually working in a real-world environment.
In one example featured in the report, LummaC2 used geometry to analyze mouse movement patterns and calculate Euclidean distances and cursor angles to distinguish between human interaction and linear motion typical of automated sandbox environments. When the situation seemed artificial, he deliberately suppressed the execution and just sat there quietly waiting for his time.
This behavior reflects a deeper shift in the attacker’s logic. You can no longer rely on malware to reveal itself in a sandbox environment. By design, activity is suspended and dormant until the actual production system is reached.
In an ecosystem dominated by stealth and persistence, doing nothing is itself a core evasion technique.
AI hype and reality: evolution, not revolution
As attackers exhibit increasingly adaptive behavior, it is natural to wonder where artificial intelligence fits into this situation.
Data from the Red Report 2026 suggests a cautious answer. Despite widespread speculation, almost prediction, that AI would reshape the malware landscape, Picus Labs observed no significant increase in AI-driven malware techniques across its 2025 dataset.
Rather, the most common behaviors are still well known. Long-standing techniques such as process injection and command and script interpreters continue to dominate real-world intrusions, confirming that attackers don’t need advanced AI to evade modern defenses.
Some malware families have begun experimenting with language model APIs at scale, but their use has so far been limited. In the observed cases, the LLM service was primarily used to obtain predefined commands or act as a convenient communication layer. Although these implementations improve efficiency, they do not fundamentally change the attacker’s decision-making or execution logic.
So far, the data shows that AI is being absorbed into existing artifacts rather than being redefined. The way Digital Parasite works hasn’t changed. Credential theft, stealth persistence, abuse of trusted processes, and increasingly long dwell times.
Attackers aren’t winning by inventing fundamentally new techniques. They are winning by becoming quieter, more patient, and increasingly difficult to distinguish from legitimate activity.
Back to basics on different threat models
We’ve been running these reports annually for a while now, and we’re seeing a continued trend of many of the same tactics popping up year after year. What has fundamentally changed is purpose.
Modern attacks prioritize:
Remain invisible Exploit trusted identities and tools Disable defenses Silently maintain access over time
By strengthening modern security fundamentals, behavioral-based detection, credential hygiene, and continuous adversarial exposure validation, organizations can focus on threats that are actually successful today, rather than dramatic attack scenarios.
Are you ready to test against digital parasites?
While ransomware headlines still dominate the news cycle, Red Report 2026 shows that the real risk increasingly lies in silent and persistent compromises. Picus Security focuses on validating defenses against specific technologies currently used by attackers, not just the noisiest technologies.
Ready to see the complete data behind your Digital Parasite model?
Download the Picus Red Report 2026 to explore this year’s findings and understand how modern attackers are staying inside networks longer than ever before.
Note: This article was written by Sıla Özeren Hacıoğlu, Security Research Engineer at Picus Security.
Source link
