The Digital Parasite: From Ransomware to Residency

“Security is not a product, but a process.” — Bruce Schneier.

Picus Security’s Red Report™ 2026 reframes modern attacks with a clear warning: adversaries now prefer long-term, low-noise access over flashy outages. This shift forces US organizations to rethink how they spot compromise and measure risk.

At a high level, the digital parasite lives inside hosts, feeds on credentials and services, and stays quiet while it moves. Operationally, residency means persistence, stealth, and trusted pathways that let attackers remain unseen.

Our title and description promise a guided move away from ransomware-era signals toward residency-era reality. Expect data-driven findings based on 2025 telemetry mapped to MITRE ATT&CK, and clear implications for security teams that protect systems and critical assets.

Key Takeaways

• New attacker model favors silent access over immediate disruption.
• Residency equals persistence + stealth + trusted pathways in operations.
• Falling encryption, credential theft, and extortion rise as key indicators.
• Security teams must shift focus from locked systems to ongoing access risk.
• Analysis relies on Picus Labs’ telemetry, not speculation about new tools.

Red Report 2026 finds attackers shifting from disruption to long-term access

Picus Labs’ 2026 dataset reframes how researchers measure attacker intent across a full year. The red report analyzes 1,153,683 unique files, of which 94% were classified as malicious, and it logs 15.5 million malicious actions collected during January–December 2025.

What Picus Labs analyzed

This dataset matters because it moves beyond anecdotes. Researchers mapped behaviors to MITRE ATT&CK so teams can compare techniques consistently across the year.

Why a new threat model matters

Report findings show attackers optimize for long-term access and low visibility rather than loud outages. The result is gradual credential capture, persistence inside hosts, and use of legitimate channels that look normal.

• Core measurements: 1,153,683 unique files (94% malicious) and 15.5 million adversarial actions.
• Method: Actions mapped to ATT&CK for apples-to-apples technique prevalence.
• Strategic shift: Monetization now favors extortion and identity abuse as backups blunt encryption’s impact.

Next: section-level evidence will show a drop in encryption, rising credential harvesting, and dominance of stealthy persistence techniques.

The ransomware signal is fading as extortion rises

Observed patterns in 2025 telemetry show a clear shift: locking files is no longer the default monetization move.

Headline metric: “Data Encrypted for Impact” (T1486) fell 38% year over year, from 21.00% in 2024 to 12.94% in 2025. This drop signals a strategic change by attackers rather than a loss of capability.

From encryption to quiet theft

Operators now favor quiet exfiltration, credential harvesting, and sustained access. They steal sensitive files, then apply delayed pressure through extortion or regulatory threats.

This model causes similar or worse harm without causing obvious outages. Loss of customer trust, regulatory fines, and long recovery costs follow even when systems stay online.

Detection and risk implications

Improved backups and resilience blunt file-encryption leverage. Attackers respond by avoiding loud signals and relying on trusted channels that mimic normal traffic.

Without encryption events, defenders lose a clear binary signal. Teams must invest in behavioral telemetry and analytics to spot slow exfiltration and credential misuse.

“Attackers no longer need to lock your data to monetize it; they just need to steal it.”

• Metric: T1486 down 38% (21.00% → 12.94%)
• Operational shift: exfiltration, credential theft, sustained control
• Risk change: outage-focused metrics can understate long-term exposure

The Digital Parasite: From Ransomware to Residency

Picus Labs’ telemetry shows adversaries increasingly treat hosts as long-term habitats rather than one-time targets.

How modern malware maintains residency: persistence, stealth, and trusted execution paths

Residency looks like code that survives reboots, lives inside legit processes, and uses approved channels to move laterally.

Persistence mechanisms keep footholds across logons. That includes autostart entries, scheduled tasks, and cloud service tokens that renew silently.

Stealth reduces alerts. Attackers hide activity inside normal tooling so defenders see noise instead of signal.

Trusted execution paths blur malicious versus legitimate activity. When a parasite uses system services or enterprise tooling, it blends in.

Why impact is now measured in dwell time and invisible access—not locked files

Old stories focused on locked files. Today success is measured by how long an intruder can stay and what they quietly take.

Lower visibility increases business risk: credential reuse, unauthorized access to sensitive data, and easy return after partial cleanup.

“Dwell time, not disruption, defines long-term harm.”

Identity becomes central when attackers prefer long-lived access. The next section explains why credentials are now the primary control plane.

Identity becomes the control plane in nearly a quarter of attacks

Nearly one in four incidents (23.49%) involve “Credentials from Password Stores” (T1555). That finding puts identity theft front and center as a primary route for control.

Attackers harvest credentials in predictable places: saved browser passwords, OS keychains, third-party password managers, and session tokens used for single sign-on.

Valid logins let adversaries move without noisy exploits. When access looks like a normal user session, detection systems see fewer alerts and fewer break-in signals.

• Why this matters: stolen identity grants immediate access to services and sensitive data across on-prem and cloud environments.
• How reuse helps attackers: one credential can unlock many accounts and speed lateral movement.
• Defender focus: prioritize behavioral monitoring for impossible travel, odd token use, and new device patterns over only signature checks.

“Valid credentials are the fastest route from foothold to broad access.”

Once inside, attackers layer stealthy persistence and trusted execution to hold control while they extract value quietly.

Stealth dominates: top MITRE ATT&CK techniques favor evasion and persistence

Telemetry shows stealth techniques dominating tradecraft, concentrating risk in long-lived footholds.

Red Report 2026 found that roughly 80% of adversary tradecraft shifted toward evasion and persistence. Eight of the top ten ATT&CK techniques now align with stealth tactics. That concentration raises a new baseline threat for organizations and security teams.

Process Injection (T1055) remains dominant

Process injection accounts for about 30% of observed technique use. By placing malicious code inside trusted processes, injection lowers the visual footprint and slows attribution.

Autostart persistence (T1547) keeps access alive

Autostart methods survive reboots and logons. They create repeatable access that can remain after partial cleanup, so residency outlasts quick remediation.

Application Layer Protocols (T1071) hide C2 in plain sight

Command-and-control blended into normal network traffic. Using common protocols and services makes malicious flows look like routine traffic for systems and admins.

“Success today is measured by how long an intruder can operate with minimal alerts.”

• Why signature detection struggles: when attacks use legitimate processes and services, static indicators lose usefulness.
• Operational priorities: focus on behavioral detection, correlate telemetry across hosts and network, and validate controls against real techniques.
• Outcome: threat success favors sustained access and low noise, not immediate disruption.

Self-aware malware “plays dead” to evade analysis—plus the newest tradecraft

New code can detect noninteractive environments and suspend behavior to avoid being caught.

Virtualization and Sandbox Evasion (T1497) surged into the top tier, rising to #4 among observed techniques in the Red Report 2026.

That rise matters because malware now withholds execution when it suspects an analysis environment. This “plays dead” behavior reduces defender visibility in sandbox workflows and skews threat assessment.

Geometry-based sandbox checks

Picus highlights LummaC2 using simple geometry to tell human input from automation.

It measures Euclidean distance and cursor angles to identify natural mouse paths. If movement looks robotic, payloads stay dormant.

Living off reputable cloud services

Operators route command traffic through high-reputation services like AWS and OpenAI to blend C2 into normal network traffic.

This use of trusted services makes detection harder because traffic appears legitimate to many monitoring tools.

Hardware-level bypass and reality of AI

State-linked actors have begun using IP-KVM devices to control hosts at the hardware level and evade software agents entirely.

On AI, Picus found evolution, not revolution: experimentation with LLM APIs exists, but there was no meaningful spike in AI-written malicious code in the year’s dataset.

“Stealth-first tradecraft reduces the reliability of single-layer defenses.”

Operational implication: defenders must validate layered controls across hosts, network, and services against stealth-first behaviors rather than rely on single-point analysis.

Conclusion

Red Report 2026 warns that outage-focused metrics miss quiet campaigns where residency and credential theft drive harm. When attackers favor long-term access, noisy encryption declines while loss of sensitive data rises.

Digital parasite captures this shift: residency, identity abuse, and stealth techniques reduce obvious signals and lengthen dwell time. That model changes how organizations measure success and prepare for threats.

Practical fixes include credential hygiene, behavioral detection, enhanced C2 visibility, and routine technique-based validation. Move away from static checks and adopt continuous validation against real attack methods.

strong, expect this trend to continue as adversaries avoid loud alarms and invest in stealth. US security leaders must retune title and description of programs to reflect a world that moved from ransomware to residency.

FAQ

What does the Red Report 2026 reveal about attacker behavior?

The report shows a shift from short-term disruption to long-term access. Analysts reviewed over 1.1 million malicious files and 15.5 million adversarial actions in 2025 and found many actors favor persistence, stealth, and data theft over noisy encryption campaigns.

Why is the ransomware signal declining while extortion rises?

Ransomware that encrypts files (T1486) dropped sharply, while threats focused on exfiltration and delayed pressure increased. Attackers gain more value by quietly stealing data and threatening release, or by maintaining control to extract recurring payments.

How do modern threats maintain residency in target environments?

Malware uses persistence mechanisms, process injection, autostart entries, and trusted execution paths to remain active. These techniques let malicious code run under legitimate processes and survive reboots, increasing dwell time and reducing detection.

How important is identity theft in current attacks?

Very important. Credential harvesting from password stores, browsers, keychains, and tokens appears in a large share of incidents. Valid logins let attackers move laterally and access cloud services, making identity the primary control plane in many breaches.

Which MITRE ATT&CK techniques are most prevalent now?

Techniques favor evasion and persistence: process injection (T1055), autostart persistence (T1547), and use of application layer protocols (T1071) for command-and-control. These let attackers blend into normal traffic and bypass signature-based detection.

How do attackers evade sandboxes and analysis?

Threats increasingly detect virtualization and sandbox environments (T1497) by examining artifacts like timing, mouse movement, or hardware features. Some tools use Euclidean distance calculations of cursor motion or probe hardware to decide whether to activate malicious behavior.

Are attackers abusing cloud and high-reputation services for C2?

Yes. Adversaries route command-and-control through major cloud platforms and APIs to blend with legitimate traffic. This living-off-the-cloud tradecraft complicates detection because traffic appears to go to trusted services.

What role do physical devices and insider techniques play in evasion?

Physical tools such as IP-KVM devices or direct console access can bypass software agents entirely. Combined with compromised credentials, these methods mimic insider actions and reduce reliance on typical network-based indicators.

Is AI fundamentally changing malware capabilities?

Not yet as a wholesale revolution. AI is being discussed and selectively used, but most observed evolution is an improvement of existing techniques—better evasion, automation of simple tasks, and more precise reconnaissance—rather than novel, autonomous malware.

How should security teams change risk measurement and response?

Teams must prioritize detection of stealth, dwell time, and identity-based abuse over outage counts. Focus on monitoring account behavior, process injection indicators, persistence mechanisms, and anomalous use of trusted services to reduce time-to-detection and limit lateral movement.

What immediate actions reduce exposure to these long-term intrusions?

Enforce multifactor authentication, rotate and protect secrets, apply least privilege, monitor for anomalous logins and process behavior, harden autostart and persistence vectors, and inspect outbound traffic to high-reputation services for unusual patterns.