1. Home
  2. Software
  3. LockerGoga

LockerGoga

LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.[1][2]

ID: S0372
Type: MALWARE
Platforms: Windows
Contributors: Joe Slowik - Dragos
Version: 2.0
Created: 16 April 2019
Last Modified: 17 October 2023
Enterprise Layer
download view
ICS Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

LockerGoga installation has been immediately preceded by a "task kill" command in order to disable anti-virus.[3]
Enterprise T1486 数据加密以实现影响

LockerGoga has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key.[2][1][3]
Enterprise T1570 横向工具传输

LockerGoga has been observed moving around the victim network via SMB, indicating the actors behind this ransomware are manually copying files form computer to computer instead of self-propagating.[1]
Enterprise T1070 .004 移除指标: File Deletion

LockerGoga has been observed deleting its original launcher after execution.[2]
Enterprise T1529 系统关机/重启

LockerGoga has been observed shutting down infected systems.[3]
Enterprise T1531 账号访问移除

LockerGoga has been observed changing account passwords and logging off current users.[2][1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

LockerGoga has been signed with stolen certificates in order to make it look more legitimate.[3]
ICS T0827 Loss of Control

Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of control which forced the company to switch to manual operations. [4] [5]
ICS T0828 Loss of Productivity and Revenue

While Norsk Hydro attempted to recover from a LockerGoga infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity. [4][5]
ICS T0829 Loss of View

Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of view which forced the company to switch to manual operations. [4] [5]

Groups That Use This Software

ID Name References
G0037 FIN6

[6]

References

  1. Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.
  2. CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019.
  3. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
  1. Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16
  2. Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16
  3. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.