{
	"id": "4eb9e093-793d-4669-bdd8-06597cb92064",
	"created_at": "2026-04-10T03:20:31.220224Z",
	"updated_at": "2026-04-10T03:22:17.41904Z",
	"deleted_at": null,
	"sha1_hash": "0a2036d7089d4d9254aa698f39b4faeb5f0bf439",
	"title": "FBI Issues Alert For LockerGoga and MegaCortex Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 794992,
	"plain_text": "FBI Issues Alert For LockerGoga and MegaCortex Ransomware\r\nBy Lawrence Abrams\r\nPublished: 2019-12-23 · Archived: 2026-04-10 03:03:28 UTC\r\nThe FBI has issued a warning to private industry recipients to provide information and guidance on the\r\nLockerGoga and MegaCortex Ransomware.\r\nBoth LockerGoga and MegaCortex are ransomware infections that target the enterprise by compromising the\r\nnetwork and then attempting to encrypt all its devices.\r\nIn an FBI Flash Alert marked as TLP:Amber and seen by BleepingComputer, the FBI is warning the private\r\nindustry regarding the two ransomware infections and how they attack a network.\r\n\"Since January 2019, LockerGoga ransomware has targeted large corporations and organizations in the United\r\nStates, United Kingdom, France, Norway, and the Netherlands. The MegaCortex ransomware, first identified in\r\nMay 2019, exhibits Indicators of Compromise (IOCs), command and control (C2) infrastructure, and targeting\r\nsimilar to LockerGoga.\"\r\nAccording to the alert, the actors behind LockerGoga and MegaCortex will gain a foothold on a corporate network\r\nusing exploits, phishing attacks, SQL injections, and stolen login credentials.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/\r\nPage 1 of 3\n\nOnce a network is compromised, the threat actors will install the penetration testing tool called Cobalt Strike. This\r\ntool allows the attackers to deploy \"beacons\" on a compromised device to \"create shells, execute PowerShell\r\nscripts, perform privilege escalation, or spawn a new session to create a listener on the victim system.\"\r\nWhen a network is compromised, the actors will be resident on the network for months before they deploy the\r\nLockerGoga or MegaCortex ransomware infections.\r\nWhile the FBI had not said what these attackers are doing during this period, the actors are probably\r\nexfiltrating data, deploying information-stealing trojans, and further compromising workstations and servers.\r\nOnce the network has been harvested of anything of value, the attackers will deploy the LockerGoga or\r\nMegaCortex infections so that they begin to encrypt the devices on the network. This will generate a final revenue\r\nsource for the attackers.\r\nDuring the ransomware deployment, the FBI states the actors will execute a kill.bat or stop.bat batch file that\r\nterminates processes and services related to security programs, disables Windows Defender scanning features, and\r\ndisable security-related services.\r\nThe threat actors will also use a variety of LOLBins and legitimate software such as 7-Zip, PowerShell scripts,\r\nwmic, nslookup, adfind.exe, mstds.exe, Mimikatz, Ntsdutil.exe, and massscan.exe.\r\nUnfortunately, both of these ransomware infections use a secure encryption algorithm, which means it is not\r\npossible to decrypt them for free.\r\nFBI's recommended mitigations\r\nThe FBI offers guidance and mitigation advise that business owners should utilize to minimize their risk to the\r\nLockerGoga and MegaCortex ransomware.\r\nThe most important mitigation provided by the FBI is to make sure you \"backup data regularly, keep offline\r\nbackups, and verify integrity of backup process.\"\r\nBy having a working and verified backups, especially offline backups, ransomware is not a threat as you can\r\nalways restore your data.\r\nOther mitigations suggested by the FBI include:\r\nMake sure all installed software and operating systems are kept updated. This helps to\r\nprevent vulnerabilities from being exploited by the attackers.\r\nEnable two-factor authentication and strong passwords to block phishing attacks, stolen credentials, or\r\nother login compromises.\r\nAs publicly exposed remote desktop servers are a common way for attackers to first gain access to a\r\nnetwork, businesses should audit logs for all remote connection protocols\r\nAudit the creation of new accounts.\r\nScan for open or listening ports on the network and block them from being accessible.\r\nDisable SMBv1 as numerous vulnerabilities and weaknesses exist in the protocol.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/\r\nPage 2 of 3\n\nMonitor the organization's Active Directory and administrator group changes for unauthorized users.\r\nMake sure you are using the most up-to-date PowerShell and uninstall any older versions.\r\n\"Enable PowerShell logging and monitor for unusual commands, especially execution of Base64 encoded\r\nPowerShell\"\r\nThis guidance is general enough that it applies to all ransomware infections and should be followed by all\r\norganizations and even consumers.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one\r\nwithout the other.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three\r\ndiagnostic questions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/"
	],
	"report_names": [
		"fbi-issues-alert-for-lockergoga-and-megacortex-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775791231,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a2036d7089d4d9254aa698f39b4faeb5f0bf439.pdf",
		"text": "https://archive.orkl.eu/0a2036d7089d4d9254aa698f39b4faeb5f0bf439.txt",
		"img": "https://archive.orkl.eu/0a2036d7089d4d9254aa698f39b4faeb5f0bf439.jpg"
	}
}