{“lastseen”:”2026-02-10T14:01:45″,”description”:”\\n\\nAre ransomware and encryption still the defining signals of modern cyberattacks, or has the industry been too fixated on noise while missing a more dangerous shift happening quietly all around them?\\n\\nAccording to Picus Labs\u2019 new Red Report 2026, which analyzed over 1.1 million malicious files and mapped 15.5 million adversarial actions observed across 2025, attackers are no longer optimizing for disruption. Instead, their goal is now long-term, invisible access.\\n\\nTo be clear, ransomware isn\u2019t going anywhere, and adversaries continue to innovate. But the data shows a clear strategic pivot away from loud, destructive attacks toward techniques designed to evade detection, persist inside environments, and quietly exploit identity and trusted infrastructure. Rather than breaking in and burning systems down, today\u2019s attackers increasingly behave like Digital Parasites. They live inside the host, feed on credentials and services, and remain undetected for as long as possible.\\n\\nPublic attention often gravitates toward dramatic outages and visible impact. The data in this year\u2019s Red Report tells a quieter story, one that reveals where defenders are actually losing visibility.\\n\\n## The Ransomware Signal Is Fading\\n\\nFor the past decade, ransomware encryption served as the clearest signal of cyber risk. When your systems locked up and your operations froze, compromise was undeniable.\\n\\nThat signal is now losing relevance. Year over year, Data Encrypted for Impact (T1486) dropped by 38%, declining from 21.00% in 2024 to 12.94% in 2025. This decline doesn\u2019t show reduced attacker capability. It reflects a deliberate shift in strategy instead.\\n\\nRather than locking data to force payment, threat actors are shifting toward data extortion as their primary monetization model. By avoiding encryption, attackers keep systems operational while they:\\n\\n * Quietly exfiltrate sensitive data\\n * Harvest credentials and tokens\\n * Remain embedded in environments for extended periods\\n * Apply pressure later through extortion rather than disruption\\n\\n\\n\\nThe implication is clear: impact is no longer defined by locked systems, but by how long attackers can maintain access within a host\u2019s systems without being detected.\\n\\n__\\n\\n\\u003e _\\”The adversary’s business model has shifted from immediate disruption to long-lived access.\\”_ _\u2013 Picus Red Report 2026_\\n\\n __\\n\\n## Credential Theft Becomes the Control Plane (A Quarter of Attacks)\\n\\nAs attackers shift toward prolonged, stealthy persistence, identity becomes the most reliable path to control.\\n\\nThe Red Report 2026 shows that Credentials from Password Stores (T1555) appear in nearly one out of every four attacks (23.49%), making credential theft one of the most prevalent behaviors observed over the last year.\\n\\nRather than relying on noisy credential dumping or complex exploit chains, attackers are increasingly extracting saved credentials directly from browsers, keychains, and password managers. Once they have valid credentials, privilege escalation and lateral movement are usually just a little native administrative tooling away.\\n\\nMore and more modern malware campaigns are behaving like digital parasites. There are no alarms, no crashes, and no obvious indicators. Just an eerie quiet.\\n\\nThis same logic now shapes attacker tradecraft more broadly.\\n\\n\\n\\n## 80% of Top ATT\\u0026CK Techniques Now Favor Stealth\\n\\nDespite the breadth of the MITRE ATT\\u0026CK\u00ae framework, real-world malware activity continues to concentrate around a small set of techniques that are increasingly prioritizing evasion and persistence.\\n\\nThe Red Report 2026 reveals a stark imbalance: Eight of the Top Ten MITRE ATT\\u0026CK techniques are now primarily dedicated to evasion, persistence, or stealthy command-and-control. This represents the highest concentration of stealth-focused tradecraft Picus Labs has ever recorded, signaling a fundamental shift in attacker success metrics.\\n\\nRather than prioritizing immediate impact, modern adversaries are optimizing for maximum dwell time. Techniques that enable attackers to hide, blend in, and remain operational for extended periods now outweigh those designed for disruption.\\n\\nHere are some of the most commonly observed behaviors from this year\u2019s report:\\n\\n * T1055 \u2013 Process Injection allows malware to run inside trusted system processes, making malicious activity difficult to distinguish from legitimate execution.\\n * T1547 \u2013 Boot or Logon Autostart Execution ensures persistence by surviving reboots and user logins.\\n * T1071 \u2013 Application Layer Protocols provide \u201cwhisper channels\u201d for command-and-control, blending attacker traffic into normal web and cloud communications.\\n * T1497 \u2013 Virtualization and Sandbox Evasion enables malware to detect analysis environments and refuse to execute when it suspects it is being observed.\\n\\n\\n\\nThe combined effect is powerful. Legitimate-looking processes use legitimate tools to quietly operate over widely trusted channels. Signature-based detection struggles in this environment, while behavioral analysis becomes increasingly important for identifying illicit activity deliberately designed to appear normal.\\n\\nWhere encryption once defined the attack, stealth now defines its success.\\n\\n\\n\\n## Self-Aware Malware Refuses to Be Analyzed\\n\\nWhen stealth becomes the primary measure of success, evading detection alone is no longer enough. Attackers must also avoid triggering the tools defenders rely on to observe their malicious behavior in the first place. The Red Report 2026 shows this clearly in the rise of Virtualization and Sandbox Evasion (T1497), which moved into the top tier of attacker tradecraft in 2025.\\n\\nModern malware increasingly evaluates _where_ it is before deciding _whether_ to act. Instead of relying on simple artifact checks, some samples assess execution context and user interaction to determine if they\u2019re actually operating in a real environment. \\n\\nIn one example highlighted in the report, LummaC2 analyzed mouse movement patterns using geometry, calculating Euclidean distance and cursor angles to distinguish human interaction from the linear motion typical of automated sandbox environments. When conditions appeared artificial, it deliberately suppressed any execution and just sat there, quietly biding its time.\\n\\nThis behavior reflects a deeper shift in attacker logic. Malware can no longer be relied on to reveal itself in sandbox environments. It withholds activity by design, remaining dormant until it reaches a real production system. \\n\\nIn an ecosystem dominated by stealth and persistence, _inaction itself_ has become a core evasion technique.\\n\\n## AI Hype vs. Reality: Evolution, Not Revolution\\n\\nWith attackers demonstrating increasingly adaptive behavior, it\u2019s natural to ask _where artificial intelligence fits into this picture_. \\n\\nThe Red Report 2026 data suggests a measured answer. Despite widespread speculation, almost _anticipation,_ about AI reshaping the malware landscape, Picus Labs observed no meaningful increase in AI-driven malware techniques across the 2025 dataset.\\n\\nInstead, the most prevalent behaviors remain familiar. Longstanding techniques such as Process Injection and Command and Scripting Interpreter continue to dominate real-world intrusions, reinforcing that attackers do not require advanced AI to bypass modern defenses.\\n\\nSome malware families have begun experimenting with large language model APIs, but so far their use has remained limited in scope. In observed cases, LLM services were primarily used to retrieve predefined commands or act as a convenient communication layer. These implementations improve efficiency, but they\u2019re not fundamentally altering attacker decision-making or execution logic.\\n\\nSo far, the data shows that AI is being _absorbed into_ existing tradecraft rather than _redefining it_. The mechanics of the Digital Parasite remain unchanged: credential theft, stealthy persistence, abuse of trusted processes, and longer and longer dwell times. \\n\\nAttackers are not winning by inventing radically new techniques. They\u2019re winning by becoming quieter, more patient, and increasingly hard to distinguish from legitimate activity.\\n\\n## Back to Basics for a Different Threat Model\\n\\nHaving run these reports annually for some time now, we see a continuing trend with many of the same tactics appearing year after year. What has fundamentally changed is the objective.\\n\\nModern attacks prioritize:\\n\\n * remaining invisible\\n * abusing trusted identities and tools\\n * disabling defenses quietly\\n * maintaining access over time\\n\\n\\n\\nBy doubling down on modern security fundamentals, behavior-based detection, credential hygiene, and continuous Adversarial Exposure Validation, organizations can focus less on dramatic attack scenarios and more on the threats that are actually succeeding today.\\n\\n\\n\\n## Ready to Validate Against the Digital Parasite?\\n\\nWhile ransomware headlines still dominate the news cycle, the Red Report 2026 shows that, more and more, the real risk lies in silent, persistent compromise. Picus Security focuses on validating defenses against the specific techniques attackers are using right now, not just the ones making the most noise.\\n\\nReady to see the full data behind the Digital Parasite model? \\n\\nDownload the Picus Red Report 2026 to explore this year\u2019s findings and understand how modern adversaries are staying inside networks longer than ever before.\\n\\nNote: This article was written by S\u0131la \u00d6zeren Hac\u0131o\u011flu, Security Research Engineer at Picus Security.\\n\\nFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2026-02-10T13:59:00″,”modified”:”2026-02-10T13:59:29″,”type”:”thn”,”title”:”From Ransomware to Residency: Inside the Rise of the Digital Parasite”,”source”:””,”references”:””,”id”:”THN:227F327D500178DFE323152B48134B12″,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2026\/02\/from-ransomware-to-residency-inside.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-10T14:01:45″,”description”:”\\n\\nAre ransomware and encryption still the defining signals of modern cyberattacks, or has the industry been too fixated on noise while missing a more dangerous…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-40023","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n