LockerGoga (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.lockergoga (Back to overview)

LockerGoga

Actor(s): FIN6

VTCollection

According to Trend Micro, LockerGoga is a ransomware that has been used in multiple attacks, most notably against Altran Technologies and Norsk Hydro. It encrypts a range of documents and source code files but certain versions had little to no whitelist that would protect import system files such as the Windows Boot Manager.

References

2021-10-29 ⋅ ⋅ Національна поліція України ⋅ Національна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-29 ⋅ Europol ⋅ Europol
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2020-07-15 ⋅ Mandiant ⋅ Corey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake

2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle

2020-03-01 ⋅ Dragos ⋅ Joe Slowik
Spyware Stealer Locker Wiper Locker Goga Revisited
LockerGoga

2020-02-20 ⋅ McAfee ⋅ Christiaan Beek, Darren Fitzpatrick, Eamonn Ryan
CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex

2020-02-19 ⋅ FireEye ⋅ FireEye
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot

2020-01-29 ⋅ ANSSI ⋅ ANSSI
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam

2019-12-23 ⋅ Bleeping Computer ⋅ Lawrence Abrams
FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex

2019-05-19 ⋅ ⋅ nrk ⋅ Anders Brekke, Dennis Ravndal, Henrik Lied, Kristine Hirsti, Peter Svaar
Skreddersydd dobbeltangrep mot Hydro
LockerGoga

2019-05-09 ⋅ GovCERT.ch ⋅ GovCERT.ch
Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot

2019-05-04 ⋅ Abuse.io ⋅ Abuse.io
Abuse.io Report - Lockergoga
LockerGoga

2019-04-16 ⋅ Youtube (Norsk Hydro) ⋅ Norsk Hydro
The cyber attack rescue operation in Hydro Toulouse
LockerGoga

2019-04-05 ⋅ FireEye ⋅ Alex Pennino, Andrew Thompson, Ben Fedore, Brendan McKeague, Douglas Bienstock, Geoff Ackerman, Van Ta
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6

2019-04-02 ⋅ HelpNetSecurity ⋅ Zeljka Zorz
A LockerGoga primer and decrypters for Mira and Aurora ransomwares
LockerGoga

2019-03-26 ⋅ paloalto Netoworks: Unit42 ⋅ Mike Harbison
Born This Way? Origins of LockerGoga
LockerGoga

2019-03-21 ⋅ DoublePulsar ⋅ Kevin Beaumont
How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business
LockerGoga

2019-03-20 ⋅ Cisco Talos ⋅ Nick Biasini
Ransomware or Wiper? LockerGoga Straddles the Line
LockerGoga

2019-01-30 ⋅ Bleeping Computer ⋅ Ionut Ilascu
New LockerGoga Ransomware Allegedly Used in Altran Attack
LockerGoga

Yara Rules

[TLP:WHITE] win_lockergoga_auto (20251219 | Detects win.lockergoga.)

rule win_lockergoga_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.lockergoga."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c718 83c618 897dec 3bf3 75eb 8bc7 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   83c718               | add                 edi, 0x18
            //   83c618               | add                 esi, 0x18
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi
            //   3bf3                 | cmp                 esi, ebx
            //   75eb                 | jne                 0xffffffed
            //   8bc7                 | mov                 eax, edi

        $sequence_1 = { 84c0 7405 8b7608 eb4e 8b8564ffffff 80780d00 743a }
            // n = 7, score = 400
            //   84c0                 | test                al, al
            //   7405                 | je                  7
            //   8b7608               | mov                 esi, dword ptr [esi + 8]
            //   eb4e                 | jmp                 0x50
            //   8b8564ffffff         | mov                 eax, dword ptr [ebp - 0x9c]
            //   80780d00             | cmp                 byte ptr [eax + 0xd], 0
            //   743a                 | je                  0x3c

        $sequence_2 = { c645fc1b e8???????? 8d4db4 c645fc0e e8???????? 8b4d9c 8b06 }
            // n = 7, score = 400
            //   c645fc1b             | mov                 byte ptr [ebp - 4], 0x1b
            //   e8????????           |                     
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]
            //   c645fc0e             | mov                 byte ptr [ebp - 4], 0xe
            //   e8????????           |                     
            //   8b4d9c               | mov                 ecx, dword ptr [ebp - 0x64]
            //   8b06                 | mov                 eax, dword ptr [esi]

        $sequence_3 = { 56 83c0c8 50 e8???????? 837d9000 c745a800000000 0f8691000000 }
            // n = 7, score = 400
            //   56                   | push                esi
            //   83c0c8               | add                 eax, -0x38
            //   50                   | push                eax
            //   e8????????           |                     
            //   837d9000             | cmp                 dword ptr [ebp - 0x70], 0
            //   c745a800000000       | mov                 dword ptr [ebp - 0x58], 0
            //   0f8691000000         | jbe                 0x97

        $sequence_4 = { 57 8d4d9c e8???????? 8b7da0 8b45cc c645fc0b }
            // n = 6, score = 400
            //   57                   | push                edi
            //   8d4d9c               | lea                 ecx, [ebp - 0x64]
            //   e8????????           |                     
            //   8b7da0               | mov                 edi, dword ptr [ebp - 0x60]
            //   8b45cc               | mov                 eax, dword ptr [ebp - 0x34]
            //   c645fc0b             | mov                 byte ptr [ebp - 4], 0xb

        $sequence_5 = { 8365ec00 ff75ec e8???????? 59 0fb6c0 85c0 7408 }
            // n = 7, score = 400
            //   8365ec00             | and                 dword ptr [ebp - 0x14], 0
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   0fb6c0               | movzx               eax, al
            //   85c0                 | test                eax, eax
            //   7408                 | je                  0xa

        $sequence_6 = { 51 50 e8???????? 8b45ec 83c408 c7461000000000 c746140f000000 }
            // n = 7, score = 400
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   83c408               | add                 esp, 8
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0
            //   c746140f000000       | mov                 dword ptr [esi + 0x14], 0xf

        $sequence_7 = { 895108 50 8bce e8???????? 8b560c 8d4508 50 }
            // n = 7, score = 400
            //   895108               | mov                 dword ptr [ecx + 8], edx
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b560c               | mov                 edx, dword ptr [esi + 0xc]
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax

        $sequence_8 = { 6a08 8975ec c7450800000000 c70600000000 c7460400000000 c7460800000000 c7460c00000000 }
            // n = 7, score = 400
            //   6a08                 | push                8
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   c7450800000000       | mov                 dword ptr [ebp + 8], 0
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   c7460800000000       | mov                 dword ptr [esi + 8], 0
            //   c7460c00000000       | mov                 dword ptr [esi + 0xc], 0

        $sequence_9 = { 8b4da0 c6400100 8808 e9???????? b8ffffff7f 2bc1 83f801 }
            // n = 7, score = 400
            //   8b4da0               | mov                 ecx, dword ptr [ebp - 0x60]
            //   c6400100             | mov                 byte ptr [eax + 1], 0
            //   8808                 | mov                 byte ptr [eax], cl
            //   e9????????           |                     
            //   b8ffffff7f           | mov                 eax, 0x7fffffff
            //   2bc1                 | sub                 eax, ecx
            //   83f801               | cmp                 eax, 1

    condition:
        7 of them and filesize < 2588672
}

[TLP:WHITE] win_lockergoga_w0 (20190320 | Detects LockerGoga ransomware binaries)

rule win_lockergoga_w0 {   
    meta:   
        author = "Florian Roth"   
        description = "Detects LockerGoga ransomware binaries"   
        reference = "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202"   
        license = "https://creativecommons.org/licenses/by-nc/4.0/"   
        date = "2019-03-19"   
        hash = "c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15"   
        hash = "7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26"   
        hash = "bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f"   
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga"
        malpedia_version = "20190320"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:   
        $x1 = "\\.(doc|dot|wbk|docx|dotx|docb|xlm|xlsx|xltx|xlsb|xlw|ppt|pot|pps|pptx|potx|ppsx|sldx|pdf)" wide   
        $x2 = "|[A-Za-z]:\\cl.log" wide   
        $x4 = "\\crypto-locker\\" ascii   
        $xc1 = { 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E   
          00 61 00 6D 00 65 00 00 00 00 00 4D 00 6C 00 63   
          00 72 00 6F 00 73 00 6F 00 66 00 74 }   
        $xc2 = { 00 2E 00 6C 00 6F 00 63 00 6B 00 65 00 64 00 00   
          00 20 46 41 49 4C 45 44 20 00 00 00 00 20 00 00   
          00 20 75 6E 6B 6E 6F 77 6E 20 65 78 63 65 70 74   
          69 6F 6E }   
        $rn1 = "This may lead to the impossibility of recovery of the certain files." wide   
    condition:   
        1 of ($x*) or $rn1
}

Download all Yara Rules

LockerGoga Propose Change

References

Yara Rules

LockerGoga