‘Sleeping Malware’: Protecting Your Organisation From Cyber Threats

Quick Hits

• Sleeping malware delays the cyber attack making it difficult for organisations to pinpoint where the threat has come from, and often can remain undetected making it too late to stop the attack.
• Attacks can result in business disruption, loss of personal data, and reputational damage.
• Organisations cannot entirely eliminate risk, but they can take precautions to reduce exposure and increase the likelihood of early detection and effective response.

Sleeping malware, such as Warp Panda and Brickstorm, are typically placed through subtle techniques, for instance, through phishing emails, supply chain compromise, infected external hard drives, or misuse of some internet webpages that may be embedded with malware. Once the malware becomes implanted in the organisation’s system it can self-modify to survive system reboots and routine maintenance checks. The malware then lies dormant in the system to avoid detection, often by leveraging native system tools rather than “typical” malicious software characteristics. This can mean that it remains in the system, sometimes for periods of two or more years, before an attack occurs.

Extended dormancy raises significant legal questions, including when breach notification obligations are triggered, whether cyber insurance policies with retroactive date limitations will respond, and the extent of regulatory exposure for the period during which the malware was active but undetected. While the malware is dormant insofar as causing disruption, it is often collecting information, including personal data and confidential business information, and scanning the system for weaknesses such as loopholes in security measures and unpatched systems while it waits for an activation date.

Activation dates are frequently aligned with moments of peak distraction or reduced staffing to maximise impact. Attacks can often occur during public holidays such as bank holidays, or preplanned maintenance downtime. For an organisation, the attacks can have serious consequences such as service outages, data breaches, destruction of data, and reputational damage.

Many organisations are already implementing a range of technical measures to protect against attacks such as the use of sandboxes, multifactor authentication systems, penetration testing, firewalls, and vulnerability management systems. However, as malware becomes more sophisticated and attacks become more frequent, these measures may not be offering complete protection. Often state of the art measures, which require heavy investment, are required to identify and protect from sleeping malware.

Commonly an organisation’s third-party service providers can be first to detect irregularities in the system. This may include suspicious update requests, unexpected coding patterns, or unusual service activity. Such activity can trigger notifications and investigations that reveal sleeping malware, requiring systems to be taken offline for periods of time to reset and contain the malware, resulting in negative impacts on business operations.

To mitigate the risks from sleeping malware, organisations may consider measures such as:

• Regular review of technical measures to secure systems and implementing up-to-date and proportionate improvements, such as restricted system access and isolating IT networks to limit malware movement
• Undertaking due diligence of third-party service providers relied on to deliver services
• Establishing a cyber incident response plan and undertaking simulations
• Providing regular staff training on phishing attacks and awareness of security threats
• Providing clarity on how staff will manage communications regarding cyber incidents
• Considering procuring cyber insurance, paying particular attention to retroactive date provisions and whether the policy responds to threats that were implanted before the policy period but discovered during it
• Complying with applicable data protection laws and remaining current with legal timeframes for communicating cyber incidents to relevant authorities and individuals

More information on cybersecurity risks and prevention can be found in our previous articles: “Healthcare Employers Must Be Vigilant in 2026 Against More Sophisticated Cyberattacks,” and our “Cybersecurity Awareness Month” series.

Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to provide updates on the Cross-Border and Cybersecurity and Privacy blogs as additional information becomes available.

Nicola McCrudden is of counsel in the London office of Ogletree Deakins.

Benjamin W. Perry is a shareholder in the Nashville office of Ogletree Deakins, and he is co-chair of the firm’s Cybersecurity and Privacy Practice Group.

Lorraine Matthews, a data privacy and cybersecurity practice assistant in the London office of Ogletree Deakins, contributed to this article.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts