This new 'sleeperware' doesn't set off alarms or crash your system - it sneaks in and waits

MirageC via Moment / Getty Images

Follow ZDNET: Add america arsenic a preferred source on Google.

ZDNET cardinal takeaways

• Picus Labs has released a study that ranks MITRE ATT&CK techniques.
• According to the report, ransomware encryption is connected the decline.
• Moving up the ranks is simply a malware that plays dormant until it's ripe to strike.

In its yearly Red Report, a assemblage of probe that analyzes real-world attacker techniques utilizing large-scale onslaught simulation data, Picus Labs warns cybersecurity professionals that menace actors are rapidly shifting distant from ransomware encryption to parasitic "sleeperware" extortion arsenic their means to loot organizations for millions of dollars per attack. 

Taking the adversary's perspective

Released contiguous and present successful its sixth year, the 278-page Red Report gets its sanction from Picus-organized cybersecurity exercises that instrumentality the position of the attacker's team, different known arsenic the "red team." 

Also: The champion VPN services (and however to take the close 1 for you)

The sanction harkens backmost to warfare games and different simulated subject exercises wherever the alleged reddish squad plays the relation of an adversary portion the bluish squad defends. The study takes the adversary's position via the MITRE ATT&CK framework, a perpetually updated catalog of unsocial techniques that real-world menace actors usage to execute their attacks. 

For example, erstwhile a menace histrion encrypts an organization's systems -- fundamentally freezing the enactment retired of its ain accusation exertion until a ransom is paid -- the unsocial MITRE ATT&CK Technique ID that describes that attack is T1486.

Based connected its investigation of much than 1 cardinal malicious files and 15 cardinal adversarial actions observed successful 2025, Picus Labs ranks however menace actors trust connected the antithetic MITRE ATT&CK techniques and past notes however those techniques are trending up oregon down compared to erstwhile years. 

Also: How to fastener down your iPhone to the utmost - truthful adjacent the FBI can't get in

According to Picus Labs, 2025 was marked by a "massive surge" successful an incredibly diligent signifier of malware that, done a operation of techniques, tin fundamentally play dead, evading detection, and striking lone erstwhile the close opportunities contiguous themselves. Meanwhile, arsenic a preferred menace histrion technique, that surge successful ranking came astatine the disbursal of ransomware encryption. 

Shifting from encryption to extortion

"For the past decade, the superior interest for CISOs was concern interruption caused by ransomware. In 2026, the hazard illustration has inverted," noted the report. 

"The information shows a monolithic statistical diminution successful the deployment of ransomware payloads. In 2025, Data Encrypted for Impact (T1486) [aka ransomware decryption] appeared successful 21.00% of samples; successful 2026, it plummeted to 12.94%. This represents a 38% comparative decrease. This crisp drop-off provides factual grounds that menace actors are shifting their concern exemplary distant from 'locking data' (encryption) toward "stealing data" (extortion) to support the big live for semipermanent exploitation."

The study besides said that "the dominance of Process Injection (T1055) signals that attackers are prioritizing dwell clip implicit destruction. The extremity is nary longer to clang your systems, bargain and get out, but to interruption successful and inhabit them unnoticed." 

Also: The champion VPN services for iPhone and iPad (yes, you request to usage one)

According to the report, the apical 3 MITRE ATT&CK techniques remained unchanged from 2024, with Process Injection ranking first, up of Command and Scripting Interpreter (T1059) and Credentials from Password Stores (T1555). However, possibly the astir notable alteration successful the rankings was the surge of Virtualization/Sandbox Evasion (T1497) into the 4th position. 

The emergence of the integer parasite

"Virtualization and Sandbox Evasion (T1497) roseate to the fourth-ranked ATT&CK method arsenic context-aware malware learns to observe investigation environments (e.g., sandboxes) done artifact checks, timing, and idiosyncratic enactment patterns," said the report. 

"Many samples volition present garbage to execute erstwhile watched. Files tin walk automated gateways and lone activate successful production, creating a unsafe mendacious consciousness of safety."

"What we're observing is the emergence of the integer parasite," said Picus Labs co-founder and VP Dr. Süleyman Özarslan successful a prepared release. 

"Attackers person realized it is much profitable to inhabit the big than to destruct it. They are embedding themselves wrong environments, utilizing trusted identities and adjacent carnal hardware to provender connected entree portion staying operationally invisible. If your information relies connected spotting a 'break-in,' you've already lost, due to the fact that they are already logged in."

Also: 7 apps I usage to fastener down, encrypt, and store my backstage files - and astir are free

Özarslan told ZDNET: "In galore cases, attackers usage stolen credentials to log successful similar a mean user, which lets them gaffe past information controls. The adjacent happening they bash is determination into places that relationship tin already scope -- email, shared drives, unreality apps, HR, oregon concern systems -- without mounting disconnected alarms due to the fact that thing looks unusual.

"Instead of grabbing everything astatine once, they thin to instrumentality tiny amounts of invaluable information implicit clip and enactment quiet. Once they person enough, they travel backmost with impervious of what they accessed -- circumstantial files, records, oregon samples -- and usage the menace of exposing that information arsenic leverage. Encrypting systems tin inactive happen, but it's often nary longer the archetypal step."

The Red Report's findings align with the 2026 predictions from different cybersecurity researchers. As noted successful ZDNET's apical 10 anticipated cybersecurity threats for 2026, researchers expect an improvement from ransomware encryption to much blase forms of extortion. 

"Instead of conscionable encrypting systems, ransomware volition displacement towards greater dynamics successful stealing, manipulating, and threatening to leak oregon change delicate data, targeting backups, unreality services, and proviso chains," said NCC Group manager Nigel Gibbons.  

Also: How to alteration your IP code with a VPN (and wherefore you should)

The study offers a elaborate acceptable of recommendations for cybersecurity professionals to travel to champion support against this parasitic sleeperware and different high-ranking threats. 

Even though ransomware encryption dropped from sixth to tenth successful the rankings, it is inactive a important threat. As noted successful ZDNET's aforementioned apical 10 report, research from Cybersecurity Ventures predicts the planetary full outgo of ransomware harm to summation by 30%, from $57 cardinal successful 2025 to $74 cardinal successful 2026.

According to the Red Report, "Even with the diminution of encryption, backups stay captious for betterment from destructive wiper attacks. Ensure backups are immutable and isolated from the main network." The Red Report is available for download from Picus Labs' website.