Proofpoint reported a sharp escalation in Locky ransomware distribution by threat actors associated with major Dridex operations, including a campaign that sent tens of millions of emails and heavily targeted organizations in the UK and France. The activity relied on malicious email attachments such as JavaScript files, weaponized documents, and archive-based lures, showing that established banking malware operators had moved aggressively into ransomware delivery at scale.
Researchers said the campaigns used a newly identified downloader, RockLoader, alongside layered evasion tactics including heavily obfuscated JavaScript, junk files, malformed Content-Type headers, RAR archives, and misleading or double file extensions. Proofpoint also observed RockLoader delivering multiple payloads beyond Locky, including Dridex 220, Pony, and Kegotip, indicating a flexible malware distribution platform that was rapidly changing code and delivery methods to bypass detection and improve infection rates.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Proofpoint described an April 7 Locky ransomware email campaign involving tens of millions of messages, primarily targeting organizations in the UK and France. The activity was part of the broader surge attributed to actors tied to Dridex operations.
Proofpoint identified a newly observed intermediary downloader called RockLoader being used in the campaigns. It was seen delivering Locky as well as other malware families including Dridex 220, Pony, and Kegotip.
Proofpoint reported a major increase in Locky ransomware email campaigns in early 2016, linking the activity to actors associated with large Dridex operations. The campaigns used JavaScript attachments, malicious documents, and multiple evasion techniques to improve delivery and bypass detection.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
1 reference tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.