How often do you turn your iPhone or android smartphone off? Not often enough, says the NSA as it issues a security warning to all users about zero-click attacks.
It would entirely depend on the design of the malware. If a malware author wanted to chronologically separate infection from detection, doing persistance and then not activating until next reboot wouldnt be unreasonable.
For example, if a user visits a site, and 10 seconds later their PC gets cryptolockered, they can report the site. If they visit a site, and then a hundred others, and then 10 days later their PC reboots and gets cryptolockered, they will have no idea which site did it.
It would entirely depend on the design of the malware. If a malware author wanted to chronologically separate infection from detection, doing persistance and then not activating until next reboot wouldnt be unreasonable.
For example, if a user visits a site, and 10 seconds later their PC gets cryptolockered, they can report the site. If they visit a site, and then a hundred others, and then 10 days later their PC reboots and gets cryptolockered, they will have no idea which site did it.