Friday, 26 February 2016

Is Locky Back?

The number of Tor hidden services continues to skyrocket.  Yesterday's figures grew to numbers even I did not expect.  Just based on initial data, today is looking like an even bigger rise.

Data As At 09:30 GMT
One note of caution, the data for the last 24 hours is based upon relatively few nodes having yet reported.  Usually data is considered reliable once 1% of nodes have reported - we're not quite there yet. However, the trend continues what was happening yesterday so it looks like this may well be the picture for today - possibly even higher.

There are numerous reports that Locky is back and "wreaking havoc" across the Internet. Assuming this is not just hyperbole but truly reflects the number of infections, then I'd say this rise in hidden services is being driven by Locky. Sadly.

As previously noted, the data traffic volumes do not match the increase in .onion addresses so whatever is using them is employing remarkably little data.  Another sign, perhaps, that it is Locky assigning unique addresses for victims such that once used no further traffic is generated.

If it is Locky then this latest surge makes the previous campaign a minor bump on the road.  Watch out.