{
	"id": "3496a34c-817e-42fb-80d9-1052bdf586ce",
	"created_at": "2026-04-06T00:16:29.41638Z",
	"updated_at": "2026-04-10T03:20:56.719483Z",
	"deleted_at": null,
	"sha1_hash": "9448f580e7eef01f917761a13fb5fa95d31024d4",
	"title": "Numbers Show Locky Ransomware Is Slowly Fading Away",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 755667,
	"plain_text": "Numbers Show Locky Ransomware Is Slowly Fading Away\r\nBy Catalin Cimpanu\r\nPublished: 2017-03-20 · Archived: 2026-04-05 13:58:29 UTC\r\nOver the past six months, the number of Locky ransomware infections has gone down and is expected to reach an all-time\r\nlow this month, in March.\r\nEver since the ransomware launched in mid-February 2016, Locky has been one of the most active and prevalent\r\nransomware families on the Internet.\r\nThe Necurs and Locky connection\r\nFrom the start, it became apparent that Locky's growth was powered by Necurs, a huge botnet of infected devices used to\r\nsend email spam.\r\nPrior to Locky's appearance, Necurs had been used exclusively to deliver the Dridex banking trojan. This changed when\r\nLocky appeared, and Necurs slowly replaced Dridex with Locky as its primary payload.\r\nhttps://www.bleepingcomputer.com/news/security/numbers-show-locky-ransomware-is-slowly-fading-away/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/numbers-show-locky-ransomware-is-slowly-fading-away/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nNecurs spewed out so much Locky ransomware spam, that Locky became the first ever ransomware strain to reach Check\r\nPoint's malware top 3, back in September 2016.\r\nNecurs abandons Locky at the start of 2017\r\nBut not all things last forever and things changed over the New Year. Necurs operators are known to take a few weeks off\r\nfrom before Christmas to mid-January. They've been taking this break all the years they've been in business, and they did the\r\nsame in the 2016-2017 holiday.\r\nSomething happened over this past holiday season because when it came back, the Necurs botnet wasn't pushing Locky at\r\nthe same levels.\r\nMany researchers noted this event, such as Cisco Talos. The team behind the ID Ransomware service noticed the same\r\nthing.\r\nThe graph below shows the number of users who used the ID-Ransomware service to identify Locky infections. The drop in\r\nLocky activity since the start of the new year is evident.\r\nOn the other hand, Cerber, who once looked dead, has now taken Locky's place as today's top ransomware threat.\r\nResearchers from Morphisec have documented Cerber's recent rise.\r\nAnother graph from the ID Ransomware team provided by MalwareHunter shows Locky's activity during the past week.\r\nThe graph clearly shows that Locky is being \"outperformed\" even by newcomers like Spora.\r\nhttps://www.bleepingcomputer.com/news/security/numbers-show-locky-ransomware-is-slowly-fading-away/\r\nPage 3 of 5\n\nBesides Cisco and ID Ransomware, others have also noticed Locky's downfall in recent months.\r\nResearchers: No new Locky spam from Necurs\r\nMalwareTech, a security researcher that keeps track of the Necurs botnet in particular, confirmed ID Ransomware's\r\nobservation.\r\n\"There's been none [Locky spam from Necurs] at all this year,\" the researchers told Bleeping Computer. \"Necurs is back and\r\ndoing something totally different: penny stock pump \u0026 dumps,\" the researcher later tweeted, referring to pump \u0026 dump\r\nspam campaigns which try to artificially boost stock prices so crooks can buy low and sell high.\r\nSimilarly, a security researcher that goes by @dvk01uk, specialized in email spam analysis, also noticed a fall in Locky\r\nspam numbers.\r\n\"Yes, very reduced,\" he told Bleeping Computer today. \"About all I see are the daily fake FedEx, UPS, USPS 'cannot deliver\r\nyour parcel' messages.\"\r\nThese are spam messages that come with email attachments laced with the Nemucod downloader, which in turn downloads\r\nthe Kovter click fraud malware and the Locky ransomware.\r\nThis distribution scheme is the hallmark sign of an affiliate system distributing Locky. Previously, last year's massive spam\r\ncampaigns sending Locky have not relied on Nemucod.\r\nNo new Locky versions this year\r\nAdditionally, prior to going silent during the Christmas holiday, Locky received monthly updates, going through various\r\nextensions such as Zepto, Odin, Shit, Thor, Aesir, ZZZZZ, and Osiris. No new Locky variant has been seen since December.\r\nNow, let's look at the big picture. Locky's first campaigns came via the Necurs botnet. Most of the massive spam distributing\r\nLocky also came via Necurs, which shows a clear connection between the Locky and the Necurs crews, who could be very\r\nwell the same.\r\nhttps://www.bleepingcomputer.com/news/security/numbers-show-locky-ransomware-is-slowly-fading-away/\r\nPage 4 of 5\n\nFurthermore, no new Locky activity has been spotted from the Necurs botnet, and no new version came out since the last\r\nNecurs+Locky campaigns last year.\r\nAll clues point to the (temporary) death of Locky, albeit the ransomware appears to alive in some RaaS affiliate schemes.\r\nWe'll just have to wait and see what happens with Locky in the coming months. Who knows, maybe they'll release\r\ndecryption keys like the TeslaCrypt group. Fingers crossed!\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/numbers-show-locky-ransomware-is-slowly-fading-away/\r\nhttps://www.bleepingcomputer.com/news/security/numbers-show-locky-ransomware-is-slowly-fading-away/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/numbers-show-locky-ransomware-is-slowly-fading-away/"
	],
	"report_names": [
		"numbers-show-locky-ransomware-is-slowly-fading-away"
	],
	"threat_actors": [],
	"ts_created_at": 1775434589,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9448f580e7eef01f917761a13fb5fa95d31024d4.pdf",
		"text": "https://archive.orkl.eu/9448f580e7eef01f917761a13fb5fa95d31024d4.txt",
		"img": "https://archive.orkl.eu/9448f580e7eef01f917761a13fb5fa95d31024d4.jpg"
	}
}