LockerGoga
LockerGoga is a targeted ransomware family first reported in January 2019, including in incidents affecting Altran Technologies and later Norsk Hydro, Hexion, and Momentive, with additional unnamed industrial and manufacturing victims reported by incident responders. It is associated with disruptive enterprise intrusions, particularly against midmarket and large enterprises, and has had significant impact in industrial and manufacturing environments where IT outages can affect physical operations. Reporting in the provided content also links LockerGoga operations to financially motivated actors, including references to FIN6 or affiliated parties distributing Ryuk and LockerGoga from mid-2018, and U.S. DOJ charges identifying Volodymyr Viktorovich Tymoshchuk as an administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations.
LockerGoga encrypts files, including in some reporting core Windows OS files, and appends the .locked extension. The content states it has used RSA-OAEP MGF1 for file encryption, and separate reporting in the content says ransom notes claim RSA4096 and AES-256. It drops a ransom note named README-NOW.txt on the desktop and negotiates payment via email, with Bitcoin demanded for the decryption key; some reports state negotiated ransoms reached hundreds of thousands of dollars. The malware has also been observed shutting down infected systems, and newer variants were reported to disable the network adapter, change user and administrator passwords, and log the machine off, increasing operational disruption and in some cases hindering victims from even viewing the ransom note.
Behaviorally, LockerGoga installation has been repeatedly observed being immediately preceded by a taskkill command to disable antivirus. It has also been observed deleting its original launcher after execution. The malware has been signed with stolen or otherwise abused code-signing certificates to appear legitimate; reporting in the content references valid certificates associated with MIKL Limited and notes use of stolen certificates more broadly. Known sample/process names mentioned in the content include worker, worker32, svch0st, and svchub. A compile path string referencing "X:\work\Projects\LockerGoga\...\rijndael_simd.cpp" is cited as the origin of the LockerGoga name.
The intrusion tradecraft described around LockerGoga includes use of target credentials at the outset, possible phishing or purchased credentials for initial access, lateral movement with Metasploit and Cobalt Strike, credential dumping with Mimikatz, and broad deployment via Microsoft Active Directory management tools after obtaining domain administrator privileges. The content also states LockerGoga infections were more common in Q1 2019 and were the result of targeted phishing attacks.
LockerGoga is also notable for process-killing behavior associated with ransomware impact amplification. Mandiant identified an early iteration of a shared process kill list deployed as a batch script alongside LockerGoga in January 2019; the associated sample had MD5 34187a34d0a3c5d63016c26346371b54. The content assesses that such kill lists can increase impact in OT environments by terminating OT-related services, increasing the likelihood of historian database encryption, loss of historical data, process-data collection gaps, and temporary loss of access to licensing for critical services.
High-confidence indicators and artifacts directly mentioned in the content include the ransom note filename README-NOW.txt, the .locked encrypted-file extension, contact emails CottleAkela@protonmail.com and QyavauZehyco1994@o2.pl from one reported ransom note, the January 2019 sample MD5 34187a34d0a3c5d63016c26346371b54, and the batch-script/process-kill behavior used to disable antivirus.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"From mid-2018... FIN6 or affiliated parties were distributing the Ryuk and LockerGoga ransomware"
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
1 technique
Execution
Stealth
2 techniques
Stealth
Defense Impairment
2 techniques
Defense Impairment
The content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.
Discovery
1 technique
Discovery
Lateral Movement
2 techniques
Lateral Movement
Impact
5 techniques
Impact
For example, historian databases would be more likely to be encrypted, possibly resulting in loss of historical data.
The earliest iteration we identified of the shared kill list was a batch script deployed alongside LockerGoga... Other iterations of the list we have observed are also hardcoded directly into the ransomware binaries.
The process kill lists were designed to amplify the effects of known ransomware strains.
Other
2 techniques
Other
The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.
Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
36 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
LockerGoga is a ransomware family known for targeting large organizations and encrypting their data, often disrupting business operations.
Ransomware known for targeting large organizations and causing significant operational disruption by encrypting files and demanding ransom payments.
Ransomware strain known for high-profile attacks, notably the 2019 incident against Norsk Hydro, encrypting files and demanding ransom payments.
LockerGoga is a ransomware strain associated with high-profile attacks on large organizations, often used in targeted campaigns to encrypt files and demand ransom payments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.