LockerGoga Ransomware

LockerGoga Ransomware Description

lockergoga ransomware industry facility outbreaksWhile security researchers have expected ransomware attacks to slow down in 2019, recent ransomware outbreaks remind us that we must remain ever vigilant. One such outbreak that made headlines involved a ransomware known as LockerGoga. The ransomware targeted Norwegian manufacturing company Norsk Hydro, one of the world's top aluminum producers, forcing it to halt operations in multiple factories. This severely hindered the company's production and caused its stocks to fall by 0.8 percent. It is also suspected that a variant of LockerGoga was used to target French engineering company Altran Technologies earlier in January.

Ransomware is a type of malware that encrypts the files of a computer system to extort a ransom from its target. There are multiple families of ransomware and an even higher number of variants within each of those families. Each of them uses a different set of tools and libraries to infect and encrypt a system. The ransomware in question, LockerGoga, was developed using C++ and implements the Crypto++ library for its encryption operations and the Boost library to manage system processes.

It is not yet known what vector the malware uses to infect a system. In the case of Altra Technologies, forensics suggest that the infection occurred through a phishing attack. It is also possible that the targeted network was already compromised through other hacking methods, creating a backdoor to drop the malware's payload. The executable also has a signed certificate issued by Sectigo. As of now, these certificates have been revoked.

Once in the system, LockerGoga uses a renamed version of the system administration tool PsEXEC to execute the payload. It is unknown how the malware spreads within a network; however, researchers believe that it spreads by using stolen remote desktop protocol (RDP). This would mean that the malware can spread from an infected terminal to others within the network.

When LockerGoga's code is executed, it will issue a command in the command line to relocate it to the TEMP folder and renames itself with a random number. The ransomware will then run two additional commands that use the Boost library to create a master process that enumerates files in the system and multiple child processes tasked with the encryption of data. The user will then be presented with a ransom note containing instructions on how to contact and pay the bad actor to decrypt the system.

Figure 1. LockerGoga Ransom Note
LockerGoga Ransom Note

After the encryption process is done, the encrypted files will have ".locked" extension appended to them. LockerGoga targets the following file extensions in a system:

.doc, .dot, .pot, .ppsx, .pptx, .posx, .potx, .sldx, .pdf, .db, .sql, .cs, .ts, .js, .py, .docb, .dotx, .docx, .xlt, .xltx, .xlsb, .xlw, .ppt, .pps, .wkb, .xlm, .xml, .xls, .xlsx.

While LockerGoga targets these particular extensions, it can encrypt any file in a hard drive. LockerGoga will also block outside network connections by disabling any Wi-Fi or Ethernet adaptors on the system. Specific variants of the ransomware, such as the one used at Norsk Hydro, will also log out all users and change their passwords to "HuHuHUHoHo283283@dJD".

A variation of the LockerGoga ransom note is as follows:


There was a significant flaw in the security system of your company.
You should be thankful that the flaw was exploited by serious people and not some rookies.
They would have damaged all of your data by mistake or for fun.

Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.
Without our special decoder it is impossible to restore your data.
Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data.

To confirm our honest intentions.
Send us 2-3 different random files and you will get them decrypted.
It can be from different computers on your network to be sure that our decoder decrypts everything.
Sample files we unlock for free (files should not be related to any kind of backups).

We exclusively have decryption software for your situation

DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.

To get information on the price of the decoder contact us at:
The payment has to be made in Bitcoins.
The final price depends on how fast you contact us.
As soon as we receive the payment you will get the decryption tool and
instructions on how to improve your systems security

While some variants of LockerGoga seek to make a profit at their victim's expense, later variants seem only interested in disrupting operations by permanently "bricking" the system. This is done by encrypting the Boot Manager on windows systems which would render the machine inoperable and unable to display ransom notes with instructions for decryption.

Figure 2. Newer variants of LockerGoga can encrypt Windows Boot Manager and render the computer inoperable.
encrypts Windows Boot Manager and renders machine inoperable

As in every case involving ransomware, it is not recommended for companies and individuals to pay up the ransom since it incentivizes cybercriminals to keep conducting these malware campaigns. Furthermore, there is no assurance that the perpetrators will decrypt the system. Having up-to-date back-ups of all your data along with good cybersecurity policies is the best way to combat ransomware incidents.

Do You Suspect Your PC May Be Infected with LockerGoga Ransomware & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like LockerGoga Ransomware as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

File System Details

LockerGoga Ransomware creates the following file(s):
# File Name
1 %APPDATA%\Local\Temp\tgytutrc8.exe

Related Posts

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their PC with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your PC. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.