However, attacks distributing Locky have declined this year, and while it was once the king of ransomware, its title has been usurped -- Cerber now dominates the market.
But that doesn't mean Locky no longer poses a threat. After going dark for a few months -- even to the point where it wasn't being distributed at all -- the ransomware is once again being spread through the Necurs botnet.
But this campaign, which began on August 9, time is being distributed with a new file extension called Diablo6, according to Malwarebytes researchers who've observed it. The new Diablo variant calls back to a different command and control server than previous Locky campaigns.
A new variant which adds the extension '.Lukitus' to encrypted files is also being distributed. Lukitus is the Finnish word for 'locking'.
Like other ransomware families, Locky is distributed via the use of spam emails; this particular campaign sends them in the form of PDF attachments with embedded .DOCM files.
If the user downloads the attachment and enables macros as the payload requests, they'll soon find that they've lost access to the files on their computer and are told that they need to pay a ransom in order to get the "private key" from the "secret server" of the attackers.
"The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it's not active at a particular given time," said Marcelo Rivero, intelligence analyst at Malwarebytes.
While those behind Locky have yet to be identified, researchers have noted that the ransomware will delete itself from the infected machine if the local language is Russian, possibly pointing towards the geographic location of the developers.