Proofpoint reported that threat actors associated with the Dridex banking trojan expanded into ransomware operations by distributing Locky, linking a major financial malware crew to one of the most disruptive file-encrypting threats at the time. The activity showed established cybercriminal operators reusing their spam delivery infrastructure and malware distribution expertise to push ransomware at scale.
The report also identified a new malware component called RockLoader, which was introduced as part of the infection chain supporting Locky delivery. The combination of Dridex-linked distribution, high-volume malicious email campaigns, and an added loader stage indicated a more modular and professionalized attack workflow designed to improve payload delivery and broaden the operators' monetization options.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Proofpoint published research describing cybercriminals associated with Dridex introducing the RockLoader malware as part of campaigns delivering Locky ransomware. The report marks a public technical disclosure linking these actors and tooling to Locky distribution.
A report published on 2016-02-19 described Locky ransomware infecting victims through booby-trapped Microsoft Word documents, where opening the attachment could trigger file encryption across the system. This reflects an earlier public reporting milestone on Locky’s delivery method before later research tied Dridex actors and RockLoader to its distribution.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.