The 38% Drop Nobody Expected
Ransomware encryption is dying. Not because defenders won — but because attackers found something better.
The Picus Security Red Report 2026, analyzing 1.1 million malicious files and 15.5 million adversarial actions mapped to MITRE ATT&CK, reveals a fundamental shift: ransomware encryption dropped 38% year-over-year, while stealth, persistence, and credential theft surged to record highs.
Welcome to the era of the Digital Parasite — where attackers don't destroy your data. They live inside your network, silently, for months.
From Predator to Parasite
The old ransomware playbook was simple: breach, encrypt, demand ransom. Loud, fast, and increasingly ineffective as organizations improved backup strategies.
The new playbook is terrifyingly different:
- Breach quietly using valid credentials (T1078)
- Inject into trusted processes to avoid detection (T1055)
- Establish persistence that survives reboots (T1547)
- Exfiltrate data slowly over weeks or months (T1041)
- Extort with exposure — no encryption needed
Eight of the top ten MITRE ATT&CK techniques observed in 2025 are now dedicated to evasion, persistence, or stealthy C2. This is the highest concentration of stealth-focused tradecraft ever recorded.
The Numbers That Should Scare You
| Metric | 2024 | 2025 | Change |
|---|---|---|---|
| Encryption-based attacks (T1486) | 21.00% | 12.94% | -38% |
| Credential theft (T1555) | ~15% | 23.49% | +56% |
| Sandbox evasion (T1497) | #8 | #4 | ↑ 4 spots |
| New ransomware groups (H2) | ~40 | 73 | +82% |
| Total victims publicly posted | ~5,000 | 7,000+ | +40% |
Fewer encryptions. More victims. The math doesn't lie — data extortion without encryption is more profitable and harder to defend against.
LummaC2: Malware That Does Trigonometry
The most chilling example of modern evasion comes from LummaC2, an infostealer that uses geometric analysis of mouse movements to detect sandboxes.
Here's how it works:
- Records cursor positions over time
- Calculates Euclidean distance between movement angles
- Compares patterns against human behavior models
- If movements are too linear or predictable → sandbox detected → malware stays dormant
This isn't science fiction. This is production malware in 2026. Your sandbox doesn't move the mouse like a human, and the malware knows it.
Top 5 MITRE ATT&CK Techniques Driving the Shift
T1555 — Credentials from Password Stores (23.49%)
Attackers extract saved passwords from browsers, keychains, and password managers. Why brute-force when users store credentials in plaintext?
Detection (Sigma):
title: Browser Credential Store Access
status: experimental
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains:
- '\\Login Data'
- '\\Cookies'
- '\\Web Data'
- '\\logins.json'
Image|endswith:
- '\\cmd.exe'
- '\\powershell.exe'
- '\\rundll32.exe'
condition: selection
level: high
T1055 — Process Injection
Malware executes inside trusted processes like svchost.exe or explorer.exe. The process is legitimate — the code inside isn't.
Detection (Sigma):
title: Suspicious Process Injection via CreateRemoteThread
status: experimental
logsource:
category: create_remote_thread
product: windows
detection:
selection:
SourceImage|endswith:
- '\\powershell.exe'
- '\\rundll32.exe'
- '\\mshta.exe'
TargetImage|endswith:
- '\\svchost.exe'
- '\\explorer.exe'
- '\\lsass.exe'
condition: selection
level: critical
T1547 — Boot/Logon Autostart Execution
Persistence through registry run keys, startup folders, or scheduled tasks. Survives reboots, survives password changes.
T1497 — Virtualization/Sandbox Evasion
Jumped from #8 to #4. Malware checks for VM artifacts, sandbox processes, and now — mouse movement patterns.
T1071 — Application Layer Protocol (C2)
C2 traffic blended into normal HTTPS, routed through legitimate cloud services (AWS, Azure, even OpenAI endpoints). Traditional network monitoring sees nothing unusual.
The Ransomware Landscape: Who's Adapting
Qilin posted over 1,000 victims in 2025 — a 7x increase. Their model: steal data quietly, encrypt only as a last resort.
Cl0p continues large-scale supply chain exploitation. No encryption, no ransomware binary, just mass data theft through zero-days (MOVEit-style).
Akira targets hypervisor infrastructure. Encrypting the host means every VM dies — maximum leverage with minimal footprint.
SLSH (Scattered Spider/Lapsus$/ShinyHunters) runs extortion-as-a-service. Social engineering + insider recruitment replaces technical exploitation.
LockBit 5.0 regained operational capacity post-takedown. Resilience through distributed infrastructure.
73 new ransomware groups emerged in the second half of 2025 alone. The barrier to entry has never been lower.
Detection Strategy: Hunt the Parasite
If attackers are living silently in your network, you need to hunt them — not wait for alerts.
1. Credential Access Monitoring
DeviceFileEvents
| where FileName in ("Login Data", "Cookies", "Web Data")
| where InitiatingProcessFileName !in ("chrome.exe", "msedge.exe", "firefox.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath
2. Process Injection Detection
Monitor for:
-
CreateRemoteThreadfrom unusual parent processes - Unexpected DLL loads in system processes
- Memory sections with RWX permissions in trusted processes
-
NtMapViewOfSectioncross-process calls
3. Persistence Baseline
Audit these weekly:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\CurrentVersion\Run- Scheduled tasks created by non-admin accounts
- WMI event subscriptions
- Startup folder changes
4. C2 Traffic Analysis
- Flag DNS-over-HTTPS to non-standard resolvers
- Monitor for beaconing patterns (regular interval callbacks)
- Alert on processes making HTTPS calls to cloud APIs that aren't part of your stack
- Inspect TLS certificate metadata for anomalies
5. Data Exfiltration Indicators
- Large outbound transfers during off-hours
- Archive creation (7z, rar, zip) by non-user processes
- Cloud storage uploads from unexpected processes
- Staging directories with accumulated sensitive files
What CISOs Must Do Now
Assume breach. Your network may already have a parasite. Run a threat hunt, not just a vulnerability scan.
Prioritize identity controls. With 23.49% of attacks targeting credential stores, MFA everywhere is no longer optional — it's survival.
Deploy behavioral detection. Signature-based tools cannot catch process injection or living-off-the-land techniques. You need EDR with behavioral analytics.
Monitor trusted applications. C2 through legitimate services (AWS, Azure, cloud APIs) bypasses traditional network security. Implement application-aware monitoring.
Test your sandbox evasion resilience. If your sandbox moves the mouse in straight lines, LummaC2-style malware will never detonate. Upgrade to human-behavior-simulating sandboxes.
The Digital Parasite doesn't announce itself. It feeds quietly. By the time you notice the symptoms, it's been inside for months.
Need help finding parasites in your network? Request a free penetration test at theinsider-x.com — currently in open beta.
Sources: Picus Security Red Report 2026, CSO Online, The Hacker News, GuidePoint Security
MITRE ATT&CK References: T1555, T1055, T1547, T1497, T1071, T1078, T1041, T1486
Top comments (0)