Picus Red Report 2026 Finds 38% Drop in Ransomware Attacks as Hackers Choose "Silent Residency" Over Destruction

Analysis of more than 1.1 million malicious files and 15.5 million adversarial actions across enterprise environments shows attackers are prioritizing long-term access through evasion, identity abuse, and misuse of trusted systems

SAN FRANCISCO, Feb. 10, 2026 (GLOBE NEWSWIRE) -- Picus Security, the leading security validation company, today released the Red Report™ 2026, revealing a chilling evolution in cyber warfare: the rise of the "Digital Parasite." Analyzing over 1.1 million malicious files and 15.5 million actions in 2025, Picus Labs found that adversaries have shifted 80% of their tradecraft toward stealth, evasion, and persistence.

The report uncovers distinct, highly sophisticated behaviors that allow malware to inhabit systems for months without detection:

• Malware Doing Math: In a first-of-its-kind finding, malware strains like LummaC2 are now using trigonometry (calculating Euclidean distance of mouse angles) to distinguish between human users and automated security sandboxes. If the mouse moves too "perfectly," the malware knows it is being watched and refuses to detonate.
  
• The "Play Dead" Phenomenon: Virtualization/Sandbox Evasion has surged to become the #4 most prevalent technique. Modern malware actively checks for analysis environments and goes dormant to create a false sense of safety.
  
• The Shift From Encryption to Extortion: The use of "Data Encrypted for Impact" (ransomware's signature move) dropped by 38%. Attackers are no longer locking data immediately; they are silently exfiltrating it for extortion
  

“We forced the adversary to evolve,” said Dr. Süleyman Özarslan, co-founder and VP of Picus Labs. “As organizations mastered backups and resilience, the traditional business model collapsed. Attackers no longer need to lock your data to monetize it; they just need to steal it. This is why we see a 38% drop in encryption and a staggering 80% surge in evasion techniques.”

Stealth and persistence dominate attacker techniques

The Red Report™ 2026 is based on year-long research conducted by Picus Labs, with adversarial behaviors validated through real-world attack simulations and mapped to the MITRE ATT&CK framework. The analysis focuses on the techniques attackers use most frequently to maintain access and avoid detection once inside an organization.

Among the report’s key findings:

• Process Injection Is King: For the third consecutive year, process injection (30%) is the top technique, allowing attackers to hide malicious code inside legitimate, trusted applications.
• Physical Insider Threats: State-sponsored actors (specifically DPRK operatives) are now utilizing physical IP-KVM devices to bypass software agents entirely, controlling laptop farms at the hardware level.
• Living Off the Cloud: Attackers are routing command-and-control (C2) traffic through high-reputation services like OpenAI and AWS to blend in with normal business traffic.
• Identity is the New Perimeter: one in four attacks now involve stealing saved passwords from browsers, allowing adversaries to authenticate as valid users.

By operating through trusted processes and standard network traffic, adversaries reduce their operational footprint and extend dwell time. Attackers can persist within environments while minimizing signals that would typically trigger alerts or responses, inflicting maximum damage.

Protecting enterprises from digital parasites
The Red Report™ 2026 concludes that static assessments and assumption-based coverage leave blind spots when threats are designed to remain quiet. Protecting enterprises requires continuous validation of security controls against real adversary behavior.

By validating defenses through ongoing attack simulation, organizations can confirm whether detection and prevention controls are effective against stealth-driven techniques and identify gaps before attackers exploit them.

The Red Report™ 2026 is available now. To download the full report and explore the most prevalent attacker techniques shaping today’s threat landscape, visit the Picus Security website.

Note on Methodology: The findings in the Red Report 2026 are derived from a large-scale analysis of 1,153,683 unique files (94% classified as malicious) and 15.5 million malicious actions collected by Picus Labs between January and December 2025. These actions were systematically mapped to the MITRE ATT&CK® framework to identify the most prevalent adversary techniques.

About Picus Security
Picus Security, the leading security validation company, gives organizations a clear picture of their cyber risk based on business context. Picus transforms security practices by correlating, prioritizing and validating exposures across siloed findings so teams can focus on critical gaps and high-impact fixes. With Picus, security teams can quickly take action with one-click mitigations to stop more threats with less effort. Offering Adversarial Exposure Validation with Breach and Attack Simulation and Automated Penetration Testing, working together for greater outcomes, Picus delivers award-winning, threat-centric technology that allows teams to pinpoint fixes worth pursuing.

Follow Picus Security on X and LinkedIn.

Media Contact
Jennifer Tanner
Look Left Marketing
picus@lookleftmarketing.com

Photos accompanying this announcement are available at:
https://www.globenewswire.com/NewsRoom/AttachmentNg/bc024cfe-e10d-4875-9f5b-6ccc7d1773b5

https://www.globenewswire.com/NewsRoom/AttachmentNg/2608d306-0ac9-4f37-9b23-8bbdeefc386c

https://www.globenewswire.com/NewsRoom/AttachmentNg/f227fb5b-832a-4b7e-99cd-ba0e0e9c11dc