Are ransomware and encryption nonetheless the defining indicators of recent cyberattacks, or has the business been too fixated on noise whereas lacking a extra harmful shift taking place quietly throughout them?
Based on Picus Labs’ new Pink Report 2026, which analyzed over 1.1 million malicious recordsdata and mapped 15.5 million adversarial actions noticed throughout 2025, attackers are now not optimizing for disruption. As a substitute, their objective is now long-term, invisible entry.
To be clear, ransomware isn’t going anyplace, and adversaries proceed to innovate. However the information exhibits a transparent strategic pivot away from loud, damaging assaults towards strategies designed to evade detection, persist inside environments, and quietly exploit identification and trusted infrastructure. Relatively than breaking in and burning techniques down, at present’s attackers more and more behave like Digital Parasites. They dwell contained in the host, feed on credentials and providers, and stay undetected for so long as doable.
Public consideration typically gravitates towards dramatic outages and visual impression. The info on this 12 months’s Pink Report tells a quieter story, one which reveals the place defenders are literally dropping visibility.
The Ransomware Sign Is Fading
For the previous decade, ransomware encryption served because the clearest sign of cyber danger. When your techniques locked up and your operations froze, compromise was plain.
That sign is now dropping relevance. Yr over 12 months, Data Encrypted for Affect (T1486) dropped by 38%, declining from 21.00% in 2024 to 12.94% in 2025. This decline doesn’t present decreased attacker functionality. It displays a deliberate shift in technique as an alternative.
Relatively than locking information to drive cost, menace actors are shifting towards information extortion as their major monetization mannequin. By avoiding encryption, attackers preserve techniques operational whereas they:
- Quietly exfiltrate delicate information
- Harvest credentials and tokens
- Stay embedded in environments for prolonged intervals
- Apply strain later by means of extortion somewhat than disruption
The implication is obvious: impression is now not outlined by locked techniques, however by how lengthy attackers can keep entry inside a number’s techniques with out being detected.
“The adversary’s enterprise mannequin has shifted from speedy disruption to long-lived entry.” – Picus Pink Report 2026
Credential Theft Turns into the Management Aircraft (A Quarter of Attacks)
As attackers shift towards extended, stealthy persistence, identification turns into essentially the most dependable path to manage.
The Pink Report 2026 exhibits that Credentials from Password Shops (T1555) seem in practically one out of each 4 assaults (23.49%), making credential theft one of the prevalent behaviors noticed during the last 12 months.
Relatively than counting on noisy credential dumping or advanced exploit chains, attackers are more and more extracting saved credentials immediately from browsers, keychains, and password managers. As soon as they’ve legitimate credentials, privilege escalation and lateral motion are often just a bit native administrative tooling away.
Increasingly trendy malware campaigns are behaving like digital parasites. There aren’t any alarms, no crashes, and no apparent indicators. Simply an eerie quiet.
This identical logic now shapes attacker tradecraft extra broadly.
80% of High ATT&CK Methods Now Favor Stealth
Regardless of the breadth of the MITRE ATT&CK® framework, real-world malware exercise continues to pay attention round a small set of strategies which are more and more prioritizing evasion and persistence.
The Pink Report 2026 reveals a stark imbalance: Eight of the High Ten MITRE ATT&CK strategies are actually primarily devoted to evasion, persistence, or stealthy command-and-control. This represents the best focus of stealth-focused tradecraft Picus Labs has ever recorded, signaling a elementary shift in attacker success metrics.
Relatively than prioritizing speedy impression, trendy adversaries are optimizing for optimum dwell time. Methods that allow attackers to cover, mix in, and stay operational for prolonged intervals now outweigh these designed for disruption.
Listed here are a few of the mostly noticed behaviors from this 12 months’s report:
- T1055 – Course of Injection permits malware to run inside trusted system processes, making malicious exercise troublesome to tell apart from legit execution.
- T1547 – Boot or Logon Autostart Execution ensures persistence by surviving reboots and consumer logins.
- T1071 – Utility Layer Protocols present “whisper channels” for command-and-control, mixing attacker site visitors into regular net and cloud communications.
- T1497 – Virtualization and Sandbox Evasion permits malware to detect evaluation environments and refuse to execute when it suspects it’s being noticed.
The mixed impact is highly effective. Reliable-looking processes use legit instruments to quietly function over broadly trusted channels. Signature-based detection struggles on this atmosphere, whereas behavioral evaluation turns into more and more essential for figuring out illicit exercise intentionally designed to seem regular.
The place encryption as soon as outlined the assault, stealth now defines its success.
Self-Conscious Malware Refuses to Be Analyzed
When stealth turns into the first measure of success, evading detection alone is now not sufficient. Attackers should additionally keep away from triggering the instruments defenders depend on to watch their malicious conduct within the first place. The Pink Report 2026 exhibits this clearly within the rise of Virtualization and Sandbox Evasion (T1497), which moved into the highest tier of attacker tradecraft in 2025.
Fashionable malware more and more evaluates the place it’s earlier than deciding whether or not to behave. As a substitute of counting on easy artifact checks, some samples assess execution context and consumer interplay to find out in the event that they’re truly working in an actual atmosphere.
In a single instance highlighted within the report, LummaC2 analyzed mouse motion patterns utilizing geometry, calculating Euclidean distance and cursor angles to tell apart human interplay from the linear movement typical of automated sandbox environments. When situations appeared synthetic, it intentionally suppressed any execution and simply sat there, quietly biding its time.
This conduct displays a deeper shift in attacker logic. Malware can now not be relied on to disclose itself in sandbox environments. It withholds exercise by design, remaining dormant till it reaches an actual manufacturing system.
In an ecosystem dominated by stealth and persistence, inaction itself has turn out to be a core evasion approach.
AI Hype vs. Actuality: Evolution, Not Revolution
With attackers demonstrating more and more adaptive conduct, it’s pure to ask the place synthetic intelligence matches into this image.
The Pink Report 2026 information suggests a measured reply. Regardless of widespread hypothesis, virtually anticipation, about AI reshaping the malware panorama, Picus Labs noticed no significant improve in AI-driven malware strategies throughout the 2025 dataset.
As a substitute, essentially the most prevalent behaviors stay acquainted. Longstanding strategies similar to Course of Injection and Command and Scripting Interpreter proceed to dominate real-world intrusions, reinforcing that attackers don’t require superior AI to bypass trendy defenses.
Some malware households have begun experimenting with giant language mannequin APIs, however up to now their use has remained restricted in scope. In noticed circumstances, LLM providers had been primarily used to retrieve predefined instructions or act as a handy communication layer. These implementations enhance effectivity, however they’re not basically altering attacker decision-making or execution logic.
To this point, the information exhibits that AI is being absorbed into current tradecraft somewhat than redefining it. The mechanics of the Digital Parasite stay unchanged: credential theft, stealthy persistence, abuse of trusted processes, and longer and longer dwell occasions.
Attackers usually are not successful by inventing radically new strategies. They’re successful by changing into quieter, extra affected person, and more and more onerous to tell apart from legit exercise.
Again to Fundamentals for a Completely different Risk Mannequin
Having run these stories yearly for a while now, we see a seamless pattern with most of the identical ways showing 12 months after 12 months. What has basically modified is the target.
Fashionable assaults prioritize:
- remaining invisible
- abusing trusted identities and instruments
- disabling defenses quietly
- sustaining entry over time
By doubling down on trendy security fundamentals, behavior-based detection, credential hygiene, and steady Adversarial Publicity Validation, organizations can focus much less on dramatic assault eventualities and extra on the threats which are truly succeeding at present.
Able to Validate Towards the Digital Parasite?
Whereas ransomware headlines nonetheless dominate the information cycle, the Pink Report 2026 exhibits that, an increasing number of, the true danger lies in silent, persistent compromise. Picus Safety focuses on validating defenses in opposition to the particular strategies attackers are utilizing proper now, not simply those making essentially the most noise.
Able to see the complete information behind the Digital Parasite mannequin?
Obtain the Picus Pink Report 2026 to discover this 12 months’s findings and perceive how trendy adversaries are staying inside networks longer than ever earlier than.
Be aware: This text was written by Sıla Özeren Hacıoğlu, Safety Analysis Engineer at Picus Safety.
