Ransomware sometimes remains inactive until conditions are ideal. This “dormant” phase avoids detection by antivirus software. Once triggered—by date, network, or user action—it activates, encrypting files rapidly. This strategy increases success and avoids early exposure. Dormancy complicates investigation and response.
It matters because attacks may strike long after infection. Detection requires proactive monitoring.
It also challenges forensic investigations and legal recourse.
Some ransomware can remain inactive for months before activating.
[McAfee, mcafee.com]