Tor Suddenly Goes Into Reverse (Again)

The prevailing theory to account for the surge in Tor .onion addresses was that it was being driven by malware.  The most likely candidate was Locky.  I say "was" because, yet again, Tor has confounded us all by showing just as dramatic a fall in .onion addresses:

The initial surge that raised interest also had its own fall, followed by an even larger rise.  So, what happens from here is anyone's guess.  No one seems to know what is causing this - well someone does but they're not saying.

Whilst the surges do appear to have some correlation with Locky infections its not clear why the number of addresses would fall if it were Locky.  Is Locky somehow clearing up after itself - maybe just turning off the addresses once used?  Does the drop mean that people are paying up and the .onion address is no longer needed?  Lots of questions but few answers.