There is some suggestion that when a machine is infected with Locky, the malware creates a unique Bitcoin, and .onion address. This would prevents law enforcement tracing the criminals. Martijn Grooten pointed back to similar spikes in the number of "users" of Tor, which were caused by malware using the network as part of their command and control system:
Major jump in Tor "users" reported in Virus Bulletin 2013 |
The anecdotal evidence from the messages displayed by the malware would suggest it does but I have yet to see it described in any details. If it is doing this it leaves some interesting question about how, for example, the criminals are receiving the private address for the Bitcoin transaction and if that could somehow be intercepted.
However, although this is a plausible explanation, and some initial evidence suggests it is doing as discussed, I shall wait for the full analysis of the malware before reaching a final conclusion.
In any event the continued rise is unprecedented for Tor hidden services, and it would good to know what is causing it.