Hackers ditch noisy ransomware for stealthy data theft

Picus Security has published its annual Red Report, highlighting a shift in attacker behaviour away from overt disruption and towards stealthy access that can remain undetected for long periods. It found that 80% of the most common techniques observed were designed to stay hidden after initial access.

The study analysed more than 1.1 million unique files and 15.5 million malicious actions collected during 2025. Observed actions were mapped to the MITRE ATT&CK framework, a widely used taxonomy of adversary tactics and techniques.

A headline finding was a year-on-year decline in the ransomware technique known as "Data Encrypted for Impact". Use fell by 38%, suggesting attackers are changing how they extract value from compromised environments.

Instead of immediately locking files, the report describes a move towards quieter data theft followed by extortion. This reduces operational disruption that might trigger a rapid response, while still giving criminals leverage once sensitive data has been copied out.

Sandbox evasion

Techniques designed to avoid automated analysis also rose, including a sharp increase in virtualisation and sandbox evasion, which Picus ranked as the fourth most prevalent technique it tracked.

In these scenarios, malware checks whether it is running inside an analysis environment and then remains dormant rather than showing obvious malicious behaviour. This "play dead" approach can create a false sense of safety in security testing environments that rely on observing active execution.

The report also highlights what Picus describes as a first-of-its-kind observation: malware attempting to detect analysis by looking for signals of automation. Some strains calculate mouse movement angles and treat unnaturally precise movement as a sign of sandboxing.

Process injection

Process injection was the most prevalent technique for the third consecutive year, accounting for 30% of the activity tracked. It inserts malicious code into legitimate processes already running on endpoints, making detection harder when security tools rely on process reputation and expected behaviour.

The findings also point to a growing focus on identity theft and abuse of legitimate access. One in four observed attacks involved stealing saved passwords from browsers, enabling adversaries to sign in as valid users rather than relying solely on exploit chains or malware execution to maintain access.

This aligns with a broader industry pattern in which attackers aim to blend into normal administrative and user activity. With compromised credentials, they can use standard authentication paths and reduce unusual traffic that might otherwise raise alerts.

Trusted services

Another trend is routing command-and-control traffic through services with strong reputations and high volumes of legitimate use. Attackers were seen routing traffic through platforms such as OpenAI and AWS in an attempt to blend in with normal business network flows.

Security teams often whitelist or de-prioritise alerts involving widely used cloud services, especially when traffic is encrypted and resembles standard application behaviour. That can give adversaries more opportunity to maintain connectivity to compromised systems without triggering immediate investigation.

Hardware tactics

The report also draws attention to physical methods used by state-sponsored actors to bypass endpoint security agents. Operatives linked to North Korea were reported to be using physical IP-KVM devices to control laptop farms at the hardware level.

These devices can provide remote control regardless of the operating system state, making them attractive to attackers seeking to avoid the visibility and restrictions imposed by software-based monitoring tools.

Overall, the report frames these developments as part of a broader move towards long-term residency inside target networks. Once initial access is achieved, malware and operators prioritise stealth, evasion and persistence to extend dwell time and reduce the likelihood of discovery.

Dr. Süleyman Özarslan, co-founder and VP of Picus Labs, linked the shift away from encryption-heavy ransomware to improvements in resilience and recovery practices.

"We forced the adversary to evolve," said Dr. Süleyman Özarslan, co-founder and VP of Picus Labs. "As organizations mastered backups and resilience, the traditional business model collapsed. Attackers no longer need to lock your data to monetize it; they just need to steal it. This is why we see a 38% drop in encryption and a staggering 80% surge in evasion techniques."

Picus said the research was validated through real-world attack simulations across enterprise environments, warning that static assessments can leave blind spots when adversaries invest in quiet techniques that avoid immediate detection.

As attackers rely more heavily on evasion, identity abuse and misuse of trusted systems, the report points to an ongoing arms race over visibility. Organisations will need to keep testing their controls against common techniques as attacker tradecraft continues to shift.