For years, ransomware encryption has been treated as the clearest warning sign of a cyberattack. Locked files, halted operations, public fallout. But new research suggests the industry may be focusing too much on visible damage while a more dangerous shift unfolds quietly in the background.
Findings from Picus Labs’ Red Report 2026, based on the analysis of more than one million malicious files and millions of attacker actions observed throughout 2025, point to a clear change in attacker priorities. Modern adversaries are no longer optimizing for disruption. They are optimizing for staying hidden.
Ransomware is still active, and attackers continue to refine it. But the data shows a steady move away from loud attacks toward methods that prioritize persistence, identity abuse, and long-term access to trusted systems. Instead of crashing environments, attackers are embedding themselves inside them, operating quietly and extracting value over time.
Ransomware Is No Longer the Loudest Signal
For much of the last decade, encryption was the moment defenders knew they had lost control. That signal is now fading.
The report shows a sharp drop in attacks that use encryption for immediate impact. Data encryption activity declined significantly year over year, not because attackers lost capability, but because they no longer need to encrypt to succeed.
Today’s preferred approach is extortion without disruption. By keeping systems running, attackers can:
- siphon sensitive data without drawing attention
- harvest credentials and access tokens
- stay embedded for weeks or months
- apply pressure later, on their own timeline
In this model, success is no longer measured by downtime. It is measured by how long an attacker can remain undetected inside a trusted environment.
Identity Has Become the Primary Control Layer
As attackers prioritize stealth and longevity, identity abuse has emerged as the most reliable path to control.
The Red Report shows credential access activity appearing in nearly a quarter of observed attacks, making it one of the most common behaviors across real-world campaigns. Instead of noisy memory scraping or complex exploits, attackers are quietly extracting saved credentials from browsers, password managers, and operating system stores.
Once valid credentials are obtained, everything else becomes easier. Privilege escalation, lateral movement, and persistence can often be achieved using native administrative tools, leaving little trace of malicious behavior.
This is what defines the modern attacker. No alarms. No crashes. Just silence.
Stealth Now Dominates Real-World Attack Techniques
Despite the wide range of techniques in the MITRE ATT&CK framework, real-world activity continues to concentrate around a small set of behaviors. What stands out in 2025 is what those behaviors prioritize.
Eight of the ten most frequently observed techniques now focus on evasion, persistence, or covert communication. This is the strongest shift toward stealth Picus Labs has recorded to date.
Common behaviors include:
- injecting code into trusted processes to blend in
- configuring systems to survive reboots and logins
- using normal web and cloud protocols for command and control
- actively avoiding execution in analysis environments
The result is an attack chain that looks normal at every stage. Legitimate processes. Legitimate tools. Legitimate traffic. Traditional detection methods struggle in this environment, while behavioral monitoring becomes critical.
Encryption used to define the attack. Now, invisibility defines success.
Malware That Refuses to Act When Watched
As detection tools improve, attackers are adapting in another way: by refusing to reveal themselves at all.
The report highlights a rise in malware that actively evaluates its environment before executing. Instead of running immediately, these samples assess system behavior, user interaction, and execution context to determine whether they are being analyzed.
In one case, malware measured mouse movement patterns to distinguish real users from automated sandbox behavior. When conditions did not appear natural, the malware simply did nothing.
This shift represents a deeper change in attacker logic. Malware no longer exposes itself in controlled environments. It waits. Inaction has become a core evasion technique.
AI Is Not the Breakthrough Many Expected
With so much attention on artificial intelligence, it is easy to assume AI is driving this evolution. The data suggests otherwise.
While some attackers have experimented with AI-related services, there is no evidence of widespread AI-driven malware decision-making. Most attacks still rely on familiar techniques that have worked for years.
Where AI does appear, it is used sparingly, often as a convenience layer rather than a transformative capability. The core mechanics remain unchanged: credential theft, stealthy persistence, trusted process abuse, and extended dwell time.
Attackers are not winning because they are smarter machines. They are winning because they are quieter and more patient.
A Different Threat Model Demands a Different Focus
What has changed is not the tools attackers use, but their objective.
Modern intrusions aim to:
- stay invisible
- exploit trusted identities
- quietly weaken defenses
- maintain access for as long as possible
Defending against this threat requires a shift in mindset. Less focus on dramatic attack scenarios, and more attention to behavior, identity hygiene, and continuous validation of defensive controls against real attacker techniques.
The biggest risk today is not the system that suddenly goes dark. It is the one that appears perfectly normal while being quietly exploited.