|Data As At 09:30 GMT|
There are numerous reports that Locky is back and "wreaking havoc" across the Internet. Assuming this is not just hyperbole but truly reflects the number of infections, then I'd say this rise in hidden services is being driven by Locky. Sadly.
As previously noted, the data traffic volumes do not match the increase in .onion addresses so whatever is using them is employing remarkably little data. Another sign, perhaps, that it is Locky assigning unique addresses for victims such that once used no further traffic is generated.
If it is Locky then this latest surge makes the previous campaign a minor bump on the road. Watch out.