Necurs, one of the largest botnets, went offline during the holiday period of 2016 and through the beginning of 2017. However it returned only to shortly peak late in April, spreading Locky using malicious PDF documents.

http://blog.checkpoint.com/2017/05/11/jaff-new-ransomware-town-widely-spread-infamous-necurs-botnet/