LockerGoga

Malware updated a month ago (2024-10-15T10:01:38.539Z)

Download STIX

Preview STIX

LockerGoga is a type of malware, specifically ransomware, that infiltrates computer systems and holds data hostage until a ransom is paid. This malicious software was notably deployed in an attack against Norsk Hydro in March 2019. The malware was distributed by the threat group FIN6, which traditionally targeted payment card data from Point-of-Sale (POS) or eCommerce systems. However, they expanded their operations to include targeted ransomware attacks, such as those involving LockerGoga and Ryuk. FireEye's Mandiant Incident Response investigations and intelligence research have identified connections between FIN6 and multiple instances of these ransomware attacks. The deployment of LockerGoga involves the use of batch script files, with Psexec being used for executing batch and PowerShell scripts and the final execution of LockerGoga across as many devices as possible. The LockerGoga ransom note is presented to victims after the malware has been undetected in compromised systems for some time, often months. The criminals demand payment in bitcoin in exchange for decryption keys. The threat actors are affiliates of various ransomware operations, including LockerGoga, MegaCortex, HIVE, and Dharma, and are known for targeting large corporations. Despite the potential devastation caused by LockerGoga, there are defenses available. For instance, Panda Adaptive Defense, an advanced cybersecurity solution combining EPP and EDR systems, was able to detect LockerGoga via generic signatures, effectively protecting its customers from infection. If individuals or companies are affected by LockerGoga, tools are available to recover files for free. As the fight against ransomware continues, it is crucial to implement robust cybersecurity strategies to prevent future infections.

Description last updated: 2024-10-15T09:24:54.296Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Malware

Encryption

PowerShell

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The MegaCortex Malware is associated with LockerGoga. MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industria	Unspecified	7
The Hive Malware is associated with LockerGoga. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	Unspecified	4
The WannaCry Malware is associated with LockerGoga. WannaCry is a type of malware, specifically ransomware, that made headlines in 2017 as one of the most devastating cyberattacks in recent history. The WannaCry ransomware exploited vulnerabilities in Windows' Server Message Block protocol (SMBv1), specifically CVE-2017-0144, CVE-2017-0145, and CVE-2	Unspecified	2
The Ryuk Malware is associated with LockerGoga. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware inves	Unspecified	2

Source Document References

Information about the LockerGoga Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	10 months ago	An attack with the new LockerGoga ransomware in Norway
CERT-EU	a year ago	The Week in Ransomware - December 1st 2023 - Police hits affiliates
DARKReading	a year ago	Ringleader of Prolific Ransomware Gang Arrested in Ukraine
Securityaffairs	a year ago	International police operation dismantled prominent Ukraine-based Ransomware group
CERT-EU	a year ago	Ringleader of Ransomware Group in Ukraine Arrested: Europol
CERT-EU	a year ago	Europol shutters ransomware operation with kingpin arrests
BankInfoSecurity	a year ago	Police Bust Suspected Ransomware Group Ringleader in Ukraine
InfoSecurity-magazine	a year ago	Ukraine Police Dismantle Major Ransomware Group
CERT-EU	a year ago	Gaming, Financial Services Apps Under Attack
CERT-EU	a year ago	Free Decryptor Available for ‘Key Group’ Ransomware
CERT-EU	2 years ago	How to Advance ICS Cybersecurity: Implement Continuous Monitoring
Flashpoint	a year ago	LockBit Ransomware: Inside the World's Most Active Ransomware Group
MITRE	2 years ago	Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware \| Mandiant
MITRE	2 years ago	EKANS Ransomware and ICS Operations \| Dragos Dragos
MITRE	2 years ago	Implications of IT Ransomware for ICS Environments \| Dragos
MITRE	2 years ago	Born This Way? Origins of LockerGoga
MITRE	2 years ago	Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
MITRE	2 years ago	Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families \| Mandiant
GovCERT CH	2 years ago	Severe Ransomware Attacks Against Swiss SMEs
Bitdefender	2 years ago	Bitdefender Releases Universal LockerGoga Decryptor in Cooperation with Law Enforcement