The main driver behind Locky campaigns is the Necurs botnet, which prior to the holidays was sending out hundreds of thousands of malicious spam emails containing the ransomware every day.
Researchers note that the revived Locky campaign is delivering fewer than a thousand messages a day - but it does appear to be leveraging some new tactics, which might be a test run before launching a new, full-on Locky campaign with new twists.
The first of the two new campaigns has been dubbed 'Double Zipped Locky' and sees cybercriminal perpetrators attempting to hide their malicious payload in a Zip file within a Zip file in the hope that the victim will think they're opening a document, instead of a malicious payload.
Currently, the Double Zip campaign is sent using the extremely basic format of a blank email containing the malicious attachment.
Not only does this particular new campaign infect victims with Locky ransomware, but the payload also delivers the Kovter Trojan. Even if the victim chooses to pay a ransom to criminals in order to unlock their files, Kovter remains on the infected system and is used to run click-fraud and malvertising campaigns.
A second new Locky campaign uses slightly sophistication than the blank Double Zip campaign in an effort to dupe victims, sending them an email posing as a failed transaction, telling the target their bank account has blocked some activity. Telling the target their account has seen suspicious activity is a common tactic for ransomware delivery.
While both campaigns are currently operating at low volume, they could represent indicators that the sophisticated Locky machine is gearing up to continue its activities for 2017. It isn't the first time Locky has appeared to fade, as campaigns appeared to drop last summer before becoming more prolific once again.