Decline in two families of malware has researchers stumped

A brief lull in the campaigns to distribute two major pieces of malware has security researchers baffled and in some cases on edge. 

The ransomware Locky and the banking Trojan Dridex have dramatically scaled back distribution campaigns over the past month, and no one is quite sure why.

“16 days into the year and we continue to see no Locky, Dridex, vastly decreased spam volumes etc. Before new year we were getting 100k+/day,” tweeted researcher Kevin Beaumont. 

{mosads}Similar results have been found by a number of other experts. The antivirus firm Avast could track upwards of 100,000 Locky attacks per day until around Christmas, when attacks almost completely disappeared. 

At their peak, Locky and Dridex raked in more than a million dollars a week.  

Avast is concerned that the lull in Locky attacks will not last much longer.

“The longest lull before this was a few weeks in October,” said Tony Anscombe, senior security evangelist at Avast. “But the malware came roaring back.”

Anscombe notes that there is no technical reason that Locky would slow its campaign. Ransomware of Locky’s ilk encrypts files and forces users to pay a ransom to have their files decrypted. Usually, Ransomware only declines because it is no longer profitable — like when researchers release software to decrypt files without needing to pay the ransom. As of yet, that hasn’t happened with Locky. 

Anscombe speculates the decline is a big data-type decision.

“Maybe they’ve found that during holidays they can’t make as much profit,” he said.