Full Report
Are ransomware and encryption still the defining signals of modern cyberattacks, or has the industry been too fixated on noise while missing a more dangerous shift happening quietly all around them? According to Picus Labs’ new Red Report 2026, which analyzed over 1.1 million malicious files and mapped 15.5 million adversarial actions observed across 2025, attackers are no longer optimizing for
Analysis Summary
The provided article summary focuses on strategic shifts in modern cyberattacks as observed in the Picus Red Report 2026, rather than detailing specific, new malware families or fully formed attack tools. The analysis highlights a pivot away from the "loud noise" of destructive ransomware toward "Digital Parasite" behavior—focused on long-term, stealthy residency and identity exploitation.
Here is the summary structured according to the required format, focusing on the highlighted TTPs and observed behaviors:
# Tool/Technique: Shift from Encryption to Data Extortion/Long-Term Residency
## Overview
This describes the strategic shift observed in 2025 where threat actors are moving away from disruptive ransomware encryption as the primary attack objective. Instead, the focus is on establishing long-term, undetected access ("Digital Parasite" behavior) to quietly exfiltrate data and harvest credentials, monetizing through extortion threats rather than immediate system paralysis.
## Technical Details
- Type: Technique / Strategic Shift
- Platform: General (Implied Windows/Enterprise, given credential and identity focus)
- Capabilities: Stealth, persistence, data exfiltration, credential harvesting.
- First Seen: Strategic shift solidified in 2025 (based on Red Report 2026 findings).
## MITRE ATT&CK Mapping
The summary explicitly cites two TTPs related to the *observed behaviors*:
- **Impact:** Data Encrypted for Impact (T1486) has declined significantly.
- **Credential Access:** Credentials from Password Stores (T1555) is now a prevalent behavior.
Additionally, the general focus indicates high usage in:
- **Persistence Tactics:** Techniques focused on maintaining access.
- **Defense Evasion Tactics:** Techniques designed to avoid detection.
- **Command and Control Tactics:** Techniques favoring stealthy communication.
## Functionality
### Core Capabilities
- Quietly exfiltration of sensitive data.
- Harvesting of credentials and tokens.
- Maintaining embedded presence within environments for extended periods.
### Advanced Features
- Avoiding the noticeable impact of encryption to bypass traditional monitoring triggers.
- Leveraging valid credentials (often from password stores) to facilitate privilege escalation and lateral movement using native tooling.
## Indicators of Compromise
The report does not list specific IOCs for a single piece of malware, but rather points to **behavioral** indicators:
- File Hashes: N/A (Focus on behavior, not specific file samples)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on the *method* of access, not specific C2 infrastructure)
- Behavioral Indicators: Use of natively available administrative tooling post-credential acquisition; extended idle periods within the network; activity patterns consistent with data staging and exfiltration rather than immediate system destruction.
## Associated Threat Actors
Threat actors are generally shifting toward this model, though no specific groups are named in the snippet as sole users of this strategic pivot. This is presented as a sector-wide trend among sophisticated adversaries.
## Detection Methods
Detection must shift away from identifying encryption events:
- Signature-based detection: Less effective against low-noise, native-tool usage.
- Behavioral detection: Crucial focus on **time-extended persistence, anomalous credential usage, and data staging/exfiltration patterns**, rather than immediate system impact.
- YARA rules: N/A (No specific malware described)
## Mitigation Strategies
Mitigation must focus on stopping long-term residency and identity compromise:
- Prevention measures: Enhanced monitoring of credential access from password stores (T1555). Focus on monitoring native administrative tooling usage patterns.
- Hardening recommendations: Stronger identity hygiene; principles of least privilege; comprehensive monitoring for low-and-slow data movement.
## Related Tools/Techniques
- **Data Extortion (Non-encryption based):** The monetization model replacing direct ransomware impact.
- **Living off the Land (LOTL):** Heavily implied through the reliance on native administrative tooling after identity compromise.
---
# Tool/Technique: Credentials from Password Stores (T1555)
## Overview
The extraction of saved credentials directly from environments such as browsers, keychains, and password managers. This technique is identified as highly prevalent in 2025 attacks, serving as a primary control plane for adversaries seeking long-term access.
## Technical Details
- Type: Technique (Credential Access)
- Platform: Endpoints (Windows, macOS, potentially mobile platforms hosting password managers/browsers)
- Capabilities: Obtaining valid, often high-privilege, authentication material without needing to crack or dump hashes/keys directly.
- First Seen: Widely observed in 2025 (23.49% of attacks analyzed).
## MITRE ATT&CK Mapping
- **Credential Access**
- **T1555 - Credentials from Password Stores**
## Functionality
### Core Capabilities
- Directly harvesting stored credentials (usernames, passwords, tokens) found in application storage locations.
### Advanced Features
- Bypasses the need for more noisy techniques like credential dumping, allowing access to already authenticated sessions or service accounts.
## Indicators of Compromise
Associated IOCs are highly environment-specific, but behavioral indicators dominate:
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Sudden legitimate-looking logins or process execution utilizing harvested credentials, often preceding lateral movement.
## Associated Threat Actors
Threat actors employing long-term residency and identity-focused strategies are utilizing this technique heavily.
## Detection Methods
Detection must target the access patterns of the credential extraction process:
- Signature-based detection: May be difficult if attackers use legitimate tools.
- Behavioral detection: Monitoring processes accessing credential store files or memory regions associated with password managers/browsers.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Implement host-based credential protection; ensure strong application security policies for browsers and password managers.
- Hardening recommendations: Enforce MFA everywhere; regularly review and prune saved credentials on all user endpoints.
## Related Tools/Techniques
- Privilege Escalation (T1068): Often follows successful T1555 usage.
- Lateral Movement (T1021): Enabled by harvested credentials.