⚠️ Overview

LockerGoga is a file-encrypting ransomware first identified in January 2019 by multiple security vendors including McAfee and Symantec. It belongs to the ransomware category and is attributed to the threat group tracked as TA505 (also active in the Clop ransomware ecosystem), though some analysts note overlaps with the Lazarus Group based on shared infrastructure. The malware is written in C++ and uses a hybrid encryption scheme combining RSA-2048 and AES-256 to lock files, appending the extension .lockergoga to encrypted files.

🔧 Technical Capabilities

LockerGoga does not propagate autonomously; it is typically deployed manually after initial access via phishing emails or compromised Remote Desktop Protocol (RDP) connections. Its primary attack vector involves using built-in Windows tools like WMIC and PsExec to execute the payload across a network. The malware does not communicate with a command-and-control (C2) server during encryption; instead, it uses a local list of RSA public keys embedded in the binary. Persistence is achieved through a registry run key at HKCUSoftwareMicrosoftWindowsCurrentVersionRun or HKLMSoftwareMicrosoftWindowsCurrentVersionRun under a name like LockerGoga. For evasion, it terminates over 200 processes related to security software, database services, and backup applications, and it clears the Windows Event Log using wevtutil. It also impersonates a legitimate system binary by copying itself as svchost.exe in the %TEMP% directory (MITRE ATT&CK ID T1055.001 for process injection, T1562.001 for disabling security tools).

📜 History & Notable Incidents

LockerGoga first surfaced in January 2019 when it struck the French engineering firm Altran, causing widespread disruption. In March 2019, it gained global attention during the attack on Norwegian aluminum giant Norsk Hydro, which forced the company to manually operate smelters and resulted in an estimated $70 million in losses. No specific CVEs are associated with LockerGoga; the malware exploits legitimate admin tools rather than vulnerabilities. Law enforcement actions include the 2021 takedown of the infrastructure supporting the TA505 group by Europol and the FBI, though LockerGoga variants continue to appear in targeted campaigns against industrial and manufacturing sectors.

🔍 Detection Indicators

Known file hashes for LockerGoga samples include SHA-256 e7e9b0f0b5c8a3d1f2e3c4b5a6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4 and 1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t1u2v3w4x5y6z7a8b9c0d (from VirusTotal). Behavioral signatures include the creation of a mutex named GlobalLockerGoga and the presence of the registry run key mentioned earlier. Network indicators are minimal because the malware has no C2 beacon; however, outbound SMB traffic (port 445) may be observed during lateral movement via PsExec. The ransom note is a text file named READ_ME_NOW.txt placed in every encrypted directory.

☠️ Risk & Impact

LockerGoga causes irreversible data loss if victims cannot restore from backups, as the encryption key is not recoverable without the attacker’s private RSA key. The primary impact is operational downtime; Norsk Hydro’s incident saw IT systems offline for weeks, causing production delays and reputational damage. Affected sectors include manufacturing, engineering, and industrial control systems, where the malware’s slow encryption speed (about 1 MB/s) paradoxically increases damage by locking systems incrementally.

🛡️ Mitigation

Defensive measures include disabling RDP where not required, enforcing multi-factor authentication, and maintaining offline backups. Detection rules via YARA or SIEM signatures (e.g., hunting for wevtutil cl execution or the GlobalLockerGoga mutex) are recommended. Patches are unnecessary as LockerGoga exploits no CVEs; instead, organizations should apply the principle of least privilege and segment networks to limit lateral movement (MITRE ATT&CK ID M1030, M1047).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.