Follow ZDNET: Add us as a preferred source on Google.
ZDNET key takeaways
- Picus Labs has released a report that ranks MITRE ATT&CK techniques.
- According to the report, ransomware encryption is on the decline.
- Moving up the ranks is a malware that plays dead until it's ripe to strike.
In its annual Red Report, a body of research that analyzes real-world attacker techniques using large-scale attack simulation data, Picus Labs warns cybersecurity professionals that threat actors are rapidly shifting away from ransomware encryption to parasitic “sleeperware” extortion as their means to loot organizations for millions of dollars per attack.
Taking the adversary's perspective
Released today and now in its sixth year, the 278-page Red Report gets its name from Picus-organized cybersecurity exercises that take the perspective of the attacker's team, otherwise known as the “red team.”
Also: The best VPN services (and how to choose the right one for you)
The name harkens back to war games and other simulated military exercises where the so-called red team plays the role of an adversary while the blue team defends. The report takes the adversary's perspective via the MITRE ATT&CK framework, a constantly updated catalog of unique techniques that real-world threat actors use to execute their attacks.
For example, when a threat actor encrypts an organization's systems — essentially freezing the organization out of its own information technology until a ransom is paid — the unique MITRE ATT&CK Technique ID that describes that approach is T1486.
Based on its analysis of more than one million malicious files and 15 million adversarial actions observed in 2025, Picus Labs ranks how threat actors rely on the different MITRE ATT&CK techniques and then notes how those techniques are trending up or down compared to previous years.
Also: How to lock down your iPhone to the extreme – so even the FBI can't get in
According to Picus Labs, 2025 was marked by a “massive surge” in an incredibly patient form of malware that, through a combination of techniques, can essentially play dead, evading detection, and striking only when the right opportunities present themselves. Meanwhile, as a preferred threat actor technique, that surge in ranking came at the expense of ransomware encryption.
Shifting from encryption to extortion
“For the past decade, the primary concern for CISOs was business interruption caused by ransomware. In 2026, the risk profile has inverted,” noted the report.
“The data shows a massive statistical decline in the deployment of ransomware payloads. In 2025, Data Encrypted for Impact (T1486) [aka ransomware decryption] appeared in 21.00% of samples; in 2026, it plummeted to 12.94%. This represents a 38% relative decrease. This sharp drop-off provides concrete evidence that threat actors are shifting their business model away from ‘locking data' (encryption) toward “stealing data” (extortion) to keep the host alive for long-term exploitation.”
The report also said that “the dominance of Process Injection (T1055) signals that attackers are prioritizing dwell time over destruction. The goal is no longer to crash your systems, steal and get out, but to break in and inhabit them unnoticed.”
Also: The best VPN services for iPhone and iPad (yes, you need to use one)
According to the report, the top three MITRE ATT&CK techniques remained unchanged from 2024, with Process Injection ranking first, ahead of Command and Scripting Interpreter (T1059) and Credentials from Password Stores (T1555). However, perhaps the most notable change in the rankings was the surge of Virtualization/Sandbox Evasion (T1497) into the fourth position.
The rise of the digital parasite
“Virtualization and Sandbox Evasion (T1497) rose to the fourth-ranked ATT&CK technique as context-aware malware learns to detect analysis environments (e.g., sandboxes) through artifact checks, timing, and user interaction patterns,” said the report.
“Many samples will now refuse to execute when watched. Files can pass automated gateways and only activate in production, creating a dangerous false sense of safety.”
“What we're observing is the rise of the digital parasite,” said Picus Labs co-founder and VP Dr. Süleyman Özarslan in a prepared release.
“Attackers have realized it is more profitable to inhabit the host than to destroy it. They are embedding themselves inside environments, using trusted identities and even physical hardware to feed on access while staying operationally invisible. If your security relies on spotting a ‘break-in,' you've already lost, because they are already logged in.”
Also: 7 apps I use to lock down, encrypt, and store my private files – and most are free
Özarslan told ZDNET: “In many cases, attackers use stolen credentials to log in like a normal user, which lets them slip past security controls. The next thing they do is move into places that account can already reach — email, shared drives, cloud apps, HR, or finance systems — without setting off alarms because nothing looks unusual.
“Instead of grabbing everything at once, they tend to take small amounts of valuable data over time and stay quiet. Once they have enough, they come back with proof of what they accessed — specific files, records, or samples — and use the threat of exposing that data as leverage. Encrypting systems can still happen, but it's often no longer the first step.”
The Red Report's findings align with the 2026 predictions from other cybersecurity researchers. As noted in ZDNET's top 10 anticipated cybersecurity threats for 2026, researchers expect an evolution from ransomware encryption to more sophisticated forms of extortion.
“Instead of just encrypting systems, ransomware will shift towards greater dynamics in stealing, manipulating, and threatening to leak or alter sensitive data, targeting backups, cloud services, and supply chains,” said NCC Group director Nigel Gibbons.
Also: How to change your IP address with a VPN (and why you should)
The report offers a detailed set of recommendations for cybersecurity professionals to follow to best defend against this parasitic sleeperware and other high-ranking threats.
Even though ransomware encryption dropped from sixth to tenth in the rankings, it is still a significant threat. As noted in ZDNET's aforementioned top 10 report, research from Cybersecurity Ventures predicts the global total cost of ransomware damage to increase by 30%, from $57 billion in 2025 to $74 billion in 2026.
According to the Red Report, “Even with the decline of encryption, backups remain critical for recovery from destructive wiper attacks. Ensure backups are immutable and isolated from the main network.” The Red Report is available for download from Picus Labs' website.
