In February 2016, the Hollywood Presbyterian Medical Center in Los Angeles, California became infected with Locky ransomware. The infection encrypted systems throughout the facility, locking staff out of computers and electronic records.
Eventually, the hospital paid a ransom of 40 Bitcoins - then equivalent to $17,000 - in order to acquire the decryption key to restore its data.
"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this," Allen Stefanek, presiden of the Hollywood Presbyterian Medical Center said at the time.
But why did this ransomware go so quiet in the first place?
Nobody knows who exactly is behind Locky, but the sophistication of the ransomware, and the strength of the underlying cryptography which researchers haven't been able to crack, points to it being the work of a highly professional group.
Like a legitimate software developer they're constantly working to update their product, and unlike other forms of ransomware, Locky isn't available 'as-a-service' for others to use, so it's possible the campaigns go quiet as those behind on it work on their code or experiment with new tactics.
"The respite we saw from Locky was likely just a planned pull-back on the attackers part. Like any organisation, they need to time to refine code and command-and-control infrastructure, plan new attack vectors, organise ransom payment collection methods and compile new lists of targets," said Troy Gill, manager of security research at AppRiver.
Each time Locky has briefly re-emerged before seemingly disappearing during the course of this year, it's been doing something a little different, suggesting that those behind it are experimenting.
For example a Locky spike in April saw the ransomware flirt with a new delivery technique with distribution via an infected PDFs instead of Office documents, a tactic associated with the Dridex malware botnet. So it could be that the ransomware simply goes offline as those behind it examine malware trends and how they can implement them into Locky for it to become more successful.
"The timing of these comebacks matches closely with the introduction of new attributes such as the most recent Diablo and Lukitus extensions for attached files and the use of new distribution techniques involving PDF documents or phishing links," says Brendan Griffin, threat intelligence manager at PhishMe.
"These periods of Locky absence are used as a chance to build upon their successes and find new, smarter ways to deliver their ransomware".
Locky is distributed via the Necurs botnet - a zombie army of over five million hacked devices - and the ransomware appears to go off the radar when the botnet is used for other activity. For example, Necurs re-emerged following a period of inactivity in March with its power was harnessed to distribute email stock scams.
While less sophisticated than Locky, researchers believe Jaff and Locky to be connected. Not only do the Jaff decryptor website and the Locky decryptor websites look almost identical, but like Locky, the ransomware will delete itself from the infected machine if the local language is Russian.
Since then, the Necurs botnet has returned to distributing Locky, which might indicate that while they may experiment with other forms of cyber criminal activity, those behind Locky see it as a reliable tool to fall back on - because it works and generates revenue.
"Locky is an incredibly powerful and well developed piece of ransomware," says Adam Kujawa director of malware intelligence at Malwarebytes. "At the end of the day, the bad guys want to make money and they will use whatever software they can get their hands on to make that happen".
So while Locky is successful, those behind it are opportunistic and are constantly on the lookout for other means of making money - and if that means dropping Locky in favour of something else then so be it.
But for now, Locky remains successful - because if victims weren't still paying ransoms, the attackers would swiftly move onto something else. But 18 months on from the Hollywood Presbyterian Medical Center attack, it's still here and it's still successfully infiltrating networks.
Ransomware remains successful because it works, because enough people get infected after being duped by phishing emails and enough organisations will give in and pay the ransom fee in order to regain access to their systems - especially as there's still no decryption tool available.
Simply put, Locky keeps returning because it is successful. So the next time it appears to go silent, don't make any assumptions about the ransomware being dead - it's likely that it's just gone offline while those behind it work to make it even more effective.