As ransomware recedes, a new more dangerous digital parasite rises
Summary
Picus Labs' sixth annual Red Report, analyzing over one million malicious files and 15 million adversarial actions in 2025, reveals a significant shift in threat actor techniques. The report, which ranks MITRE ATT&CK techniques, indicates a 38% relative decrease in ransomware encryption (T1486) from 21.00% of samples in 2025 to 12.94% in 2026. Threat actors are moving away from "locking data" to "stealing data" via parasitic "sleeperware" extortion, prioritizing dwell time over destruction. Process Injection (T1055) remains the top technique, followed by Command and Scripting Interpreter (T1059) and Credentials from Password Stores (T1555). Notably, Virtualization/Sandbox Evasion (T1497) surged to fourth place, as context-aware malware evades detection and activates only in production environments.
Key takeaway
For CISOs and security architects evaluating their defense strategies, the shift from ransomware encryption to parasitic extortion means your security must evolve beyond "break-in" detection. Prioritize robust identity and access management, continuous monitoring for lateral movement, and immutable backups to counter the "sleeperware" threat, as attackers are likely already inside your network.
Key insights
Threat actors are shifting from ransomware encryption to stealthy, long-term data extortion via "sleeperware."
Principles
- Prioritize dwell time over destruction.
- Inhabit the host rather than destroy it.
Method
Attackers use stolen credentials to log in, move laterally within existing permissions, exfiltrate small amounts of data over time, and then use proof of access for extortion.
In practice
- Implement immutable, isolated backups.
- Focus on detecting post-compromise activity.
Topics
- MITRE ATT&CK Framework
- Ransomware
- Sleeperware Malware
- Malware Evasion
- Process Injection
Best for: CTO, VP of Engineering/Data, Executive, Security Engineer, AI Security Engineer, IT Professional
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by News and Advice on the World's Latest Innovations | ZDNET.