For the recent story of what has been happening to the number of unique .onion addresses on Tor see previous blog entries below.
If this is due to Locky then the sudden spike suggests that Locky has had a sudden resurgence. In a single day. I can only hope that this isn't true but if we see reports of a sudden surge in Locky infections I guess this would be highly suggestive that the malware is behind the spike(s).
I think this latest twist in the pattern probably rule out Ricochet, unless someone is doing some form of testing.
The other alternative that occurred to me was that another form of malware (perhaps son of Locky) has started its campaign.
Originally I noted that the traffic being reported to these hidden services appeared to (counterintuitively) be dropping as the number of .onion addresses increased. It remains to be seen if it means anything but that pattern has continued - as one metric drops the other increases and vice versa.
This would appear to be a correlation, which if the changes in direction continue should be proven, but what the correlation itself proves still eludes me.
It is worth noting that the graphs above are based on the statistics for whole days ie up until the end of yesterday 24th February 2016. However, these stats are gathered several time a day and the data for 25th February 2016 already shows 63818 unique .onion addresses, and is based upon data gathered from only 0.2% of the nodes, whereas a full day's data is more usually gathered from up to 30-50% of nodes. Also, one small point is that yesterday's data was gathered from only 33% of nodes whereas in recent times it has been more usual to see data reported from approximately 45% of nodes.
We wait to see what a full days reporting shows.