How ZeroTrust platforms like ThreatLocker are needed to fight against polymorphic malware

30 Jun 2026, by Micron21

When it comes to keeping the bad guys out of your systems, the tools we rely on have had to change considerably over the years. For a long time, the job of protecting an endpoint - which is any device that connects to and exchanges information over a network, such as staff computers, phones, servers, and the like - fell largely to antivirus software. And for a while, that was enough. But as we've covered in previous blog articles, the methods that malicious actors use, have evolved, to the point now where some of the old approaches simply can't keep up anymore!

That's why in this month's blog article we'll be taking a look at a different way of thinking about endpoint security entirely - one built around the principle of "Zero Trust" - and the tool we'll be focusing on to explore this will be ThreatLocker.  Rather than trying to spot and block what's bad, this approach flips the problem on its head and it assumes that nothing should be allowed to run, unless you've explicitly said that it can.  So it's more of a black-and-white way of doing things, and it's the approach that more and more organisations are now choosing to adopt.

A quick history - from known-bad signatures to watching behaviour

To understand why so many organisations are making this shift, it helps to briefly recap how we got here.

The earliest and most familiar approach to stopping malware was "signature-based" detection.  At its most basic, a “virus signature” is a unique fingerprint - usually a "hash"- which is a short value generated from a sample of “known-bad” code.  Your antivirus would keep a database of these signatures, synchronising regularly with the vendor's servers to stay up to date, and then compare anything it encountered against that list.  If a file matched a known-bad signature, it was flagged, quarantined, or removed.  This approach was simple, efficient, and for the threats of the day, reasonably effective too!

However, the problem with this method is that it only works against malware that someone has already seen, analysed, and written a signature for.  As soon as a new variant appears that nobody has catalogued yet, it sails straight through!  And as we covered in our article With 80% of malware evading antivirus applications, signature-based protection isn't enough anymore, that gap is far larger than most people realise.

So in response, security vendors moved towards "behaviour-based" detection.  Instead of looking at what a piece of code is – this approach by inspecting for “known-bad snippets” looks at what it does.  By monitoring an application's behaviour and flagging anything that looks unusual or out of the ordinary, these solutions can potentially catch brand-new threats that have never been seen before.  It's a smarter approach, and an increasingly necessary one, particularly because AI tools can now generate almost infinite unique variations of malicious code - which makes trying to block things based on their code alone, a losing battle.  Behavioural approaches also have the advantage of being able to detect "in-memory" or "fileless" attacks - which run entirely within a computer's memory and never write anything to disk for a traditional scanner to find.

But even this behaviour-based detection approach isn't infallible.  It's still fundamentally a game of judgement - of deciding whether something looks malicious enough to act on - and a sufficiently clever or unusual attack can slip through that judgement.  This brings us to a different way of solving the problem altogether!  Rather than trying to identify and block what's bad, you instead presume that all software is potentially dangerous, unless you've specifically allowed it.  This is the principle known as "allowlisting" and it's the foundation of the “Zero Trust” approach.

The tool we'll be looking at in this month's article is ThreatLocker because it is squarely built around this idea.  Its motto sums up the philosophy neatly: "Allow what you need. Block everything else by default."

What is ThreatLocker?

ThreatLocker is a Zero Trust endpoint protection platform.  It was founded in 2017 by Danny Jenkins, Sami Jenkins, and John Carolan, reportedly off the back of Danny's own experience with a damaging phishing attack that exposed the limitations of reactive security tools.  It now protects over 70,000 organisations worldwide¹.  Rather than being a single feature, it's a collection of controls that work together - but the core heart of it is its application allowlisting.

The idea behind allowlisting is a genuine change in approach compared to the more historical way of doing things.  Traditionally, security software operated on a "default-allow" basis whereby software was free to run unless something specifically flagged it as bad.  Allowlisting inverts that completely!  Under a "default-deny" model, nothing is permitted to run on your endpoints unless it has been explicitly approved!  This means - no application, no script, no library!  If it isn't on the list, it doesn't run! This single change in thinking closes the door on entire categories of threats, because brand-new and never-before-seen malware can't execute simply by virtue of not being on the approved list.

Of course, the obvious concern is that this sounds like an enormous amount of work to set up and maintain.  However, ThreatLocker addresses this with a "Learning Mode" that watches what's already running in your environment (including custom applications) and helps build the initial set of policies for you, with streamlined approval workflows and a large catalogue of recognised applications to draw from.  Approvals can then be handled centrally, so that when a staff member needs a new piece of software, there's a clear pathway to request and authorise it.

Allowlisting is only the first layer. ThreatLocker also restricts what approved applications are allowed to do, and what they're allowed to reach:

• Ringfencing defines exactly how an application is permitted to behave.  Historically, once an application was running, it generally had access to everything the logged-in user did - it could touch your files, your registry, the network, and other applications, all without question.  Ringfencing changes this by boxing each application into only what it legitimately needs.  The classic example is stopping Microsoft Word from being able to launch PowerShell - a perfectly trusted pair of applications individually, but a combination frequently abused in attacks.  By breaking these chains, Ringfencing limits the damage even when a trusted application is compromised or exploited.
• Storage Control governs access to your data and storage devices, whether it's a local folder, a network share, or external media like USB drives.  Policies can be as broad as blocking USB storage entirely, or as specific as ensuring your backup share can only ever be accessed by your backup application and nothing else.
• Network Control acts as a firewall for your endpoints and servers, letting you define precisely what each device is allowed to communicate with - limiting an application's reach, even on an otherwise trusted device.

On top of all of this, ThreatLocker also includes EDR (Endpoint Detection and Response) capabilities.  As we’ve discussed in the article linked above, EDR has become a necessary replacement for the older antivirus approaches.  And having it built into the same platform means that should something ever slip past the preventative controls, you still have monitoring and response capabilities watching endpoint behaviour as a last line of defence.

What does Zero Trust protect you from?

A Zero Trust platform of this kind protects against a broad range of threats, but worth singling out here are a few of the big ones - ransomware;  lateral movement;  data exfiltration;  as well as the unknown malware - including polymorphic malware - that increasingly powers all three!

The rise of polymorphic malware

"Polymorphic" malware is malware that's able to continuously change its identifiable features in order to evade detection – so very much like its biological namesake, it mutates!  While AI has thrust it into the spotlight recently, the technique is far from new.  The first known polymorphic virus, dubbed "1260" (also known as the Chameleon family), was written back in 1990 by Mark Washburn, who derived it from the earlier Vienna virus².  What made it remarkable for its time was that the virus encrypted itself and varied its decryption routine with every single infection - meaning no two copies looked quite the same, and the signature-based scanners of the day were rendered largely useless against it.

What's changed dramatically since then is the scale at which this can be done at.  Where once creating polymorphic malware took real skill and effort, AI tools in the hands of malicious actors have made generating endless unique variations almost trivial.  A widely cited proof-of-concept developed by researchers at HYAS Labs and called “BlackMamba” demonstrated this starkly.  It used a large language model to re-write its own malicious keylogging code on the fly, every time it ran, keeping the malicious portion entirely in memory.  When tested against a leading EDR solution, it reportedly generated no alerts or detections whatsoever³.  Unfortunately, when malware can rewrite itself afresh on every execution, any defence that depends on recognising what the code looks like, is fighting a battle it cannot win.

The escalating threat of ransomware

If polymorphic malware is the delivery mechanism that's hardest to spot, ransomware is one of the most damaging things it can deliver.  And the figures here are genuinely sobering.  According to GuidePoint Security, ransomware activity surged roughly 58% year-on-year in 2025, with over 7,500 victim organisations named on dark web leak sites - up from around 4,750 the year before⁴.  Cybersecurity Ventures, meanwhile, estimates global ransomware damage costs reached around $57 billion in 2025, and projects that this figure will climb to a staggering $275 billion annually by 2031⁵.

It's also a mistake to assume this is only a big-business problem.  Verizon's research has found that ransomware was involved in 88% of breaches at small and medium-sized businesses - a far higher proportion than at large enterprises - making it very much a threat that organisations of every size need to take seriously⁶.

How attacks spread - lateral movement

What makes ransomware so devastating is rarely the initial foothold itself - it's actually what happens next. Once an attacker gains access to a single machine, they rarely stop there.  Instead, they engage in "lateral movement", quietly spreading from system to system across the network, escalating privileges and mapping out what's worth taking or encrypting as they go.  Attackers frequently "live off the land" during this stage, abusing legitimate, trusted tools already present on the system.  PowerShell is a particular favourite - simply because using built-in tools is far less likely to trip an alarm compared to  introducing obvious malware.  In fact, ThreatLocker notes that over 73% of ransomware attacks make use of PowerShell as part of their attack chain⁷.

This “dwell” time matters enormously.  Attackers often spend days inside a network before triggering the final payload, using that window to position themselves for maximum impact - and critically, to seek out and compromise your backups before they strike.

How ThreatLocker helps protect you against those threats

Having laid out the threats, it's worth walking through how a Zero Trust approach addresses each of them.

Against Unknown and Polymorphic Malware: Allowlisting is remarkably effective precisely because it doesn't care what the malware looks like.  It doesn't matter whether a piece of malicious code is brand new, has rewritten itself a thousand times over, or has been crafted by an AI to be utterly unique - if it isn't on the approved list, it simply isn't permitted to execute. This sidesteps the entire cat-and-mouse game of detection. You're no longer trying to recognise every possible bad thing - you are only allowing the small, known set of good things.

Against Lateral Movement and "Living Off The Land" Attacks: Ringfencing does the heavy lifting.  By preventing trusted applications from interacting in ways they have no legitimate reason to - such as stopping Word from calling PowerShell - it cuts the chains that attackers rely on to spread.  It's worth noting that this kind of containment has proven its worth against real-world incidents. Ringfencing was reported to have foiled the 2020 SolarWinds Orion attack that bypassed many traditional defences7.  Network Control and Storage Control reinforce this further by limiting where compromised machines can reach and what data they can touch.

Against Data Exfiltration:  The combination of Storage Control and Network Control makes it structurally difficult for data to leave in the first place.  If an application has no business accessing a particular file share or talking to an external server, it simply can't - regardless of whether it's been compromised.

Ransomware deserves a special mention here, because the way ThreatLocker protects against it speaks directly to the lateral-movement problem described above.  A well-executed ransomware attack doesn't just encrypt the files on the machine it lands on - it moves laterally to find and destroy or encrypt your backups too, specifically so that you have no clean copy to restore from and are left with little choice but to pay.  This is no edge case either. A large majority of modern ransomware attacks now involve stealing data before encrypting it, which means simply having backups isn't the complete safety net it once was⁸.  By using Storage Control to ringfence your backup repositories - ensuring they can only be touched by your backup software and nothing else - and by using Ringfencing and Network Control to prevent that lateral spread in the first place, ThreatLocker helps preserve your ability to recover.  And this ability to recover is, ultimately, what robs ransomware of most of its power.

Summary

The threats facing organisations today are numerous, and by almost every measure they're growing - in volume, in sophistication, and in the damage they can do.  AI has lowered the barrier to creating malware that's effectively invisible to detection-based tools. Ransomware continues to break records year after year, and attackers have refined the art of slipping quietly through networks to maximise the harm they cause.

In response, organisations are increasingly shifting towards a Zero Trust model - not just for endpoints, but across all of their systems.  Rather than trying to chase down every conceivable threat, the logic is to flip the question entirely around and only permit what's known and trusted, blocking everything else out by default.

ThreatLocker brings that philosophy together in a single platform.  Allowlisting ensures only approved software can ever run; Ringfencing contains what these trusted applications are allowed to do; Storage Control and Network Control locks down access to your data and your network; and built-in EDR catches and responds to anything that does manage to get through.  These controls all together address the very threats of unknown and polymorphic malware, ransomware, lateral movement, and data exfiltration – of which traditional, detection-led approaches increasingly struggle with.

If any of this sounds like something your organisation could benefit from, we'd be glad to help.  We can work with you to analyse your organisation's overall cybersecurity posture, identify potential weaknesses, and recommend and help implement the right solutions to address them - including deploying ThreatLocker for those who are interested.

Have any questions about Zero Trust or ThreatLocker?

If you have any further questions that’s come about from reading this article  or want to know how to strengthen your endpoint security more generally, let us know!  We're more than happy to talk about  your environment and help you work out the best way forward.

We can help with everything from deploying ThreatLocker and reviewing your security posture, right through to backups, network firewalls, EDR, and the broader range of security services needed to keep your systems protected.

You can call us on 1300 769 972 (Option #1) or reach us via email at sales@micron21.com.

Sources

1, ThreatLocker, "Enterprise Cybersecurity Solutions", <https://www.threatlocker.com/>
2, Wikipedia, "Timeline of computer viruses and worms" / "1260 (computer virus)", <https://en.wikipedia.org/wiki/1260_(computer_virus)>
3, Dark Reading, "AI-Powered 'BlackMamba' Keylogging Attack Evades Modern EDR Security", <https://www.darkreading.com/endpoint-security/ai-blackmamba-keylogging-edr-security>
4, HIPAA Journal, "Ransomware Attacks Increased by 58% in 2025", <https://www.hipaajournal.com/ransomware-attacks-increased-58-percent-2025/>
5, Cybersecurity Ventures, "Global Ransomware Damage Costs Predicted To Exceed $275 Billion By 2031", <https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/>
6, Verizon, "2025 Data Breach Investigations Report (DBIR)", <https://www.verizon.com/business/resources/reports/dbir/>
7, ThreatLocker, "Best Ransomware Protection Platform" / "Zero Trust in action: Blocking and containing applications", <https://www.threatlocker.com/blog/zero-trust-in-action-blocking-and-containing-applications>
8, Sophos, "The State of Ransomware 2025", <https://www.sophos.com/en-us/content/state-of-ransomware>