SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lockergoga (Back to overview)

LockerGoga

Actor(s): FIN6

VTCollection    

According to Trend Micro, LockerGoga is a ransomware that has been used in multiple attacks, most notably against Altran Technologies and Norsk Hydro. It encrypts a range of documents and source code files but certain versions had little to no whitelist that would protect import system files such as the Windows Boot Manager.

References
2021-10-29Національна поліція УкраїниНаціональна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-29EuropolEuropol
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2020-07-15MandiantCorey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-03-01DragosJoe Slowik
Spyware Stealer Locker Wiper Locker Goga Revisited
LockerGoga
2020-02-20McAfeeChristiaan Beek, Darren Fitzpatrick, Eamonn Ryan
CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex
2020-02-19FireEyeFireEye
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-01-29ANSSIANSSI
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2019-12-23Bleeping ComputerLawrence Abrams
FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex
2019-05-19nrkAnders Brekke, Dennis Ravndal, Henrik Lied, Kristine Hirsti, Peter Svaar
Skreddersydd dobbeltangrep mot Hydro
LockerGoga
2019-05-09GovCERT.chGovCERT.ch
Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-05-04Abuse.ioAbuse.io
Abuse.io Report - Lockergoga
LockerGoga
2019-04-16Youtube (Norsk Hydro)Norsk Hydro
The cyber attack rescue operation in Hydro Toulouse
LockerGoga
2019-04-05FireEyeAlex Pennino, Andrew Thompson, Ben Fedore, Brendan McKeague, Douglas Bienstock, Geoff Ackerman, Van Ta
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6
2019-04-02HelpNetSecurityZeljka Zorz
A LockerGoga primer and decrypters for Mira and Aurora ransomwares
LockerGoga
2019-03-26paloalto Netoworks: Unit42Mike Harbison
Born This Way? Origins of LockerGoga
LockerGoga
2019-03-26ANSSIANSSI
INFORMATION REGARDING LOCKERGOGA AND RYUK RANSOMWARE - NEW ATTACK CAMPAIGN AND TECHNICAL INDICATORS
LockerGoga Ryuk
2019-03-21DoublePulsarKevin Beaumont
How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business
LockerGoga
2019-03-20Cisco TalosNick Biasini
Ransomware or Wiper? LockerGoga Straddles the Line
LockerGoga
2019-01-30Bleeping ComputerIonut Ilascu
New LockerGoga Ransomware Allegedly Used in Altran Attack
LockerGoga
Yara Rules
[TLP:WHITE] win_lockergoga_auto (20260504 | Detects win.lockergoga.)
rule win_lockergoga_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.lockergoga."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 64a300000000 c745e000000000 8b7508 c7461000000000 c746140f000000 c60600 8b4d0c }
            // n = 7, score = 400
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0
            //   c746140f000000       | mov                 dword ptr [esi + 0x14], 0xf
            //   c60600               | mov                 byte ptr [esi], 0
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_1 = { 8b4b54 8b75e8 8b5358 3bce 7425 8bfa 32c0 }
            // n = 7, score = 400
            //   8b4b54               | mov                 ecx, dword ptr [ebx + 0x54]
            //   8b75e8               | mov                 esi, dword ptr [ebp - 0x18]
            //   8b5358               | mov                 edx, dword ptr [ebx + 0x58]
            //   3bce                 | cmp                 ecx, esi
            //   7425                 | je                  0x27
            //   8bfa                 | mov                 edi, edx
            //   32c0                 | xor                 al, al

        $sequence_2 = { c645fc1b e8???????? 8d4db4 c645fc0e e8???????? 8b4d9c 8b06 }
            // n = 7, score = 400
            //   c645fc1b             | mov                 byte ptr [ebp - 4], 0x1b
            //   e8????????           |                     
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]
            //   c645fc0e             | mov                 byte ptr [ebp - 4], 0xe
            //   e8????????           |                     
            //   8b4d9c               | mov                 ecx, dword ptr [ebp - 0x64]
            //   8b06                 | mov                 eax, dword ptr [esi]

        $sequence_3 = { 8bd0 8b45d4 891408 8b4e04 8b55d0 8b0c08 83e201 }
            // n = 7, score = 400
            //   8bd0                 | mov                 edx, eax
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   891408               | mov                 dword ptr [eax + ecx], edx
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   8b0c08               | mov                 ecx, dword ptr [eax + ecx]
            //   83e201               | and                 edx, 1

        $sequence_4 = { ff36 8bce e8???????? eb20 50 ff36 8bce }
            // n = 7, score = 400
            //   ff36                 | push                dword ptr [esi]
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   eb20                 | jmp                 0x22
            //   50                   | push                eax
            //   ff36                 | push                dword ptr [esi]
            //   8bce                 | mov                 ecx, esi

        $sequence_5 = { 8d4de0 e9???????? 8d4da4 e9???????? 8d8d24ffffff e9???????? 8d4da4 }
            // n = 7, score = 400
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   e9????????           |                     
            //   8d4da4               | lea                 ecx, [ebp - 0x5c]
            //   e9????????           |                     
            //   8d8d24ffffff         | lea                 ecx, [ebp - 0xdc]
            //   e9????????           |                     
            //   8d4da4               | lea                 ecx, [ebp - 0x5c]

        $sequence_6 = { c7470400000000 8d7708 c745fc00000000 8bce 8975ec c70600000000 c7460400000000 }
            // n = 7, score = 400
            //   c7470400000000       | mov                 dword ptr [edi + 4], 0
            //   8d7708               | lea                 esi, [edi + 8]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   8bce                 | mov                 ecx, esi
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0

        $sequence_7 = { 83430418 eb08 50 8bcb e8???????? 837dec10 8d45d8 }
            // n = 7, score = 400
            //   83430418             | add                 dword ptr [ebx + 4], 0x18
            //   eb08                 | jmp                 0xa
            //   50                   | push                eax
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   837dec10             | cmp                 dword ptr [ebp - 0x14], 0x10
            //   8d45d8               | lea                 eax, [ebp - 0x28]

        $sequence_8 = { c745fc01000000 c707???????? 8b4b54 897d0c 894f04 85c9 7405 }
            // n = 7, score = 400
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   c707????????         |                     
            //   8b4b54               | mov                 ecx, dword ptr [ebx + 0x54]
            //   897d0c               | mov                 dword ptr [ebp + 0xc], edi
            //   894f04               | mov                 dword ptr [edi + 4], ecx
            //   85c9                 | test                ecx, ecx
            //   7405                 | je                  7

        $sequence_9 = { 8b4d0c 010cd0 8354d00400 837d1000 0f84cc000000 8b5348 8b4b44 }
            // n = 7, score = 400
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   010cd0               | add                 dword ptr [eax + edx*8], ecx
            //   8354d00400           | adc                 dword ptr [eax + edx*8 + 4], 0
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   0f84cc000000         | je                  0xd2
            //   8b5348               | mov                 edx, dword ptr [ebx + 0x48]
            //   8b4b44               | mov                 ecx, dword ptr [ebx + 0x44]

    condition:
        7 of them and filesize < 2588672
}
[TLP:WHITE] win_lockergoga_w0   (20190320 | Detects LockerGoga ransomware binaries)
rule win_lockergoga_w0 {   
    meta:   
        author = "Florian Roth"   
        description = "Detects LockerGoga ransomware binaries"   
        reference = "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202"   
        license = "https://creativecommons.org/licenses/by-nc/4.0/"   
        date = "2019-03-19"   
        hash = "c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15"   
        hash = "7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26"   
        hash = "bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f"   
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga"
        malpedia_version = "20190320"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:   
        $x1 = "\\.(doc|dot|wbk|docx|dotx|docb|xlm|xlsx|xltx|xlsb|xlw|ppt|pot|pps|pptx|potx|ppsx|sldx|pdf)" wide   
        $x2 = "|[A-Za-z]:\\cl.log" wide   
        $x4 = "\\crypto-locker\\" ascii   
        $xc1 = { 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E   
          00 61 00 6D 00 65 00 00 00 00 00 4D 00 6C 00 63   
          00 72 00 6F 00 73 00 6F 00 66 00 74 }   
        $xc2 = { 00 2E 00 6C 00 6F 00 63 00 6B 00 65 00 64 00 00   
          00 20 46 41 49 4C 45 44 20 00 00 00 00 20 00 00   
          00 20 75 6E 6B 6E 6F 77 6E 20 65 78 63 65 70 74   
          69 6F 6E }   
        $rn1 = "This may lead to the impossibility of recovery of the certain files." wide   
    condition:   
        1 of ($x*) or $rn1
}
Download all Yara Rules