The Quiet Threat: Why Ransomware and Infostealers Are Succeeding Where Encryption Fails

Ransomware operators and infostealers are adapting their tactics more swiftly than enterprises can recalibrate their defenses. Even substantial investments in ransomware resilience—primarily in backups and recovery—are increasingly failing to prevent tangible damage. According to the Picus Security Blue Report 2025, the most devastating incidents are no longer always tied to encryption: adversaries are shifting to “quiet” tactics—credential theft, covert data exfiltration, and rapid lateral movement across networks, all while remaining undetected for as long as possible.

The numbers underscore the alarm. The proportion of prevented exfiltration attempts has plummeted to just 3%, the lowest level ever recorded, even as instances of double extortion continue to climb. Password guessing and brute force succeeded in 46% of tested environments, nearly double the rate of 2024. Use of valid accounts (MITRE ATT&CK T1078) proved successful in 98% of cases, highlighting just how easily stolen or weak credentials bypass existing barriers.

The success of these “silent” operations stems from an imbalance in visibility. Organizations have become adept at filtering inbound threats—malicious attachments, phishing emails, and loaders—yet remain far less capable of tracking outbound traffic and subtle data flows. The report identifies three principal shortcomings: inadequate outbound monitoring, poorly enforced DLP policies, and limited behavioral analytics. Against this backdrop, modern infostealers have long since outgrown the label of “opportunists” scraping browser passwords. They now operate as persistent, highly targeted tools within sophisticated campaigns—blending with legitimate access, dissolving into normal network noise, and siphoning data for days or weeks without triggering a single alarm.

The evolution of ransomware places greater emphasis on pressure over encryption, rendering reliable backups no longer the silver bullet they once seemed. Criminals need no decryptor when they possess troves of stolen documents ready for publication. Tellingly, prevention rates in the Blue Report remain dismally low for several major families: BlackByte at 26%, BabLock at 34%, and Maori at 41%. Their success is not explained by backup strategy gaps but by defenders’ inability to consistently block credential theft, lateral movement, and exfiltration along the way. Even flawless recovery cannot undo the damage once sensitive data has already leaked.

The blunt conclusion of the season is unsettling: infostealers thrive, ransomware grows stealthier, and exfiltration too often proceeds unchallenged. Reliance on assumptions, static rules, and outdated detection logic creates a dangerously false picture of risk. Experts urge defenders to ground their strategies in empirical evidence—and to stress-test their defenses in combat simulations before adversaries inevitably do so themselves.