LockerGoga

Malware updated 4 months ago (2024-05-04T19:44:12.322Z)

Download STIX

Preview STIX

LockerGoga is a type of malware, specifically ransomware, known for its disruptive capabilities. It was notably deployed at Norsk Hydro in March 2019, causing significant operational disruption. LockerGoga differentiates itself from other types of ransomware such as EKANS due to its destructive nature. The threat actors behind LockerGoga have been identified as FIN6, who traditionally targeted payment card data from Point-of-Sale (POS) or eCommerce systems. However, recent investigations by Mandiant Incident Response and FireEye Intelligence have observed FIN6 conducting intrusions deploying either Ryuk or LockerGoga ransomware, indicating a shift in their tactics. This cybercriminal group has been associated with multiple ransomware incidents showing ties to FIN6. They are known for targeting large corporations and have used various types of ransomware such as LockerGoga, MegaCortex, HIVE, and Dharma in their attacks. Once inside the system, they would remain undetected for months before deploying the ransomware and presenting a ransom note to the victim, demanding payment in bitcoin in exchange for decryption keys. Their operations have spanned 71 countries, causing losses of at least several hundred million euros. The cybersecurity firm Panda Security developed an advanced solution, Panda Adaptive Defense, which successfully detected LockerGoga via generic signatures, ensuring customer safety from this infection. In response to these threats, Swiss authorities, No More Ransom, and Bitdefender developed decryption tools for LockerGoga and MegaCortex ransomware variants, based on forensic analysis from their investigations. This development represents a significant step forward in combating the threat posed by these sophisticated ransomware variants.

Description last updated: 2024-05-04T16:10:32.008Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Malware

Encryption

PowerShell

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
MegaCortex	Unspecified	7	MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industria
Hive	Unspecified	4	Hive is a malicious software (malware) that has been used by the cybercriminal group, Hunters International, to launch ransomware attacks since October of last year. The group operates as a ransomware-as-a-service (RaaS) provider, spreading Hive rapidly through collaborations with less sophisticated
WannaCry	Unspecified	2	WannaCry is a type of malware, specifically ransomware, that gained notoriety in 2017 as one of the largest and most damaging cyber-attacks to date. The malicious software exploits vulnerabilities in computer systems to encrypt data, effectively holding it hostage until a ransom is paid. It primaril
Ryuk	Unspecified	2	Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware inves

Source Document References

Information about the LockerGoga Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	An attack with the new LockerGoga ransomware in Norway
CERT-EU	9 months ago	The Week in Ransomware - December 1st 2023 - Police hits affiliates
DARKReading	9 months ago	Ringleader of Prolific Ransomware Gang Arrested in Ukraine
Securityaffairs	9 months ago	International police operation dismantled prominent Ukraine-based Ransomware group
CERT-EU	9 months ago	Ringleader of Ransomware Group in Ukraine Arrested: Europol
CERT-EU	9 months ago	Europol shutters ransomware operation with kingpin arrests
BankInfoSecurity	9 months ago	Police Bust Suspected Ransomware Group Ringleader in Ukraine
InfoSecurity-magazine	9 months ago	Ukraine Police Dismantle Major Ransomware Group
CERT-EU	a year ago	Gaming, Financial Services Apps Under Attack
CERT-EU	a year ago	Free Decryptor Available for ‘Key Group’ Ransomware
CERT-EU	2 years ago	How to Advance ICS Cybersecurity: Implement Continuous Monitoring
Flashpoint	a year ago	LockBit Ransomware: Inside the World's Most Active Ransomware Group
MITRE	2 years ago	Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware \| Mandiant
MITRE	2 years ago	EKANS Ransomware and ICS Operations \| Dragos Dragos
MITRE	2 years ago	Implications of IT Ransomware for ICS Environments \| Dragos
MITRE	2 years ago	Born This Way? Origins of LockerGoga
MITRE	2 years ago	Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
MITRE	2 years ago	Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families \| Mandiant
GovCERT CH	2 years ago	Severe Ransomware Attacks Against Swiss SMEs
Bitdefender	2 years ago	Bitdefender Releases Universal LockerGoga Decryptor in Cooperation with Law Enforcement