January 19, 2017
For the past year, the malware known as “Locky,” which infects victims’ computers and encrypts their files before demanding a ransom in order to release them, has been one of the most effective and dreaded threats on the internet.
But in the last three weeks, a period that coincided with the holidays, Locky attacks have pretty much stopped, according to security researchers.
Since before Christmas, Locky “has taken a holiday of sorts,” as Avast researcher Jan Širmer put it in a blog post.
This is not the first time its operators have gone quiet: in October, around Halloween, Locky took another two-week break. And in June of last year, the massive collection of hacked computers—or botnet—used to control Locky inexplicably vanished for days and then came back.
It’s unclear why the operators of the botnet, called “Necurs,” have been on hiatus, but several researchers have noticed their extended vacation. The graph below, which shows the stark difference in activity from Necurs in the last few weeks, was prepared Cisco Talos researcher Jaeson Schultz.
As Avast’s Širmer noted in his blog post, this hiatus might be the precursor to another widespread campaign, judging from past trends. In other words, Locky comes and goes.
“This is quite common for malware and there could be many reasons for it, just like there could be many reasons why some ads appear more often on TV during some weeks compared to other ones,” Martijn Grooten, a malware expert and editor at Virus Bulletin, told Motherboard.
Grooten noted that Locky is still spreading through exploit kits. The sudden decline in attacks, however, is a bit unusual because it came over a holiday period, which is generally considered ripe for cyberattacks. Kaspersky Lab, for example, reported a spike in financial cyberattacks over the holidays compared to the previous year.
Unfortunately, it’s unlikely that Locky is gone for good. But internet defenders and potential victims surely are enjoying the hackers’ extended holidays.