{
	"id": "7c7a10b2-6165-4c3a-87df-026da2ba22d9",
	"created_at": "2026-04-06T00:18:57.092826Z",
	"updated_at": "2026-04-10T03:19:57.480429Z",
	"deleted_at": null,
	"sha1_hash": "277efddc38e67ef65453dca77483f1f34754cbed",
	"title": "Ransomware or Wiper? LockerGoga Straddles the Line",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 488244,
	"plain_text": "Ransomware or Wiper? LockerGoga Straddles the Line\r\nBy Nick Biasini\r\nPublished: 2019-03-20 · Archived: 2026-04-05 14:32:20 UTC\r\nWednesday, March 20, 2019 14:08\r\nExecutive Summary Ransomware attacks have been in the news with increased\r\nfrequency over the past few years. This type of malware can be extremely\r\ndisruptive and even cause operational impacts in critical systems that may be\r\ninfected. LockerGoga is yet another example of this sort of malware. It is a\r\nransomware variant that, while lacking in sophistication, can still cause extensive\r\ndamage when leveraged against organizations or individuals. Cisco Talos has also\r\nseen wiper malware impersonate ransomware, such as the NotPetya attack.\r\nEarlier versions of LockerGoga leverage an encryption process to remove the victim's ability to access files and\r\nother data that may be stored on infected systems. A ransom note is then presented to the victim that demands the\r\nvictim pay the attacker in Bitcoin in exchange for keys that may be used to decrypt the data that LockerGoga has\r\nimpacted. Some of the later versions of LockerGoga, while still employing the same encryption, have also been\r\nobserved forcibly logging the victim off of the infected systems and removing their ability to log back in to the\r\nsystem following the encryption process. The consequence is that in many cases, the victim may not even be able\r\nto view the ransom note, let alone attempt to comply with any ransom demands. These later versions of\r\nLockerGoga could then be described as destructive.\r\nWhile the initial infection vector associated with LockerGoga is currently unknown, attackers can use a wide\r\nvariety of techniques to gain network access, including exploiting unpatched vulnerabilities and phishing user\r\ncredentials. Expanding initial access into widespread control of the network is facilitated by similar techniques\r\nwith stolen user credentials being an especially lucrative vector to facilitate lateral movement. For example, the\r\nactors behind the SamSam attacks leveraged vulnerable servers exposed to the internet as their means of obtaining\r\ninitial access to environments they were targeting.\r\nLockerGoga Details Several of the LockerGoga samples observed in the wild\r\nappear to have been signed using a certificate that was issued to ALISA LTD by\r\nSectigo:\r\nhttps://blog.talosintelligence.com/lockergoga/\r\nPage 1 of 6\n\nThis was likely an attempt by the malware author to minimize anti-malware detection, as executables that are\r\nsigned using valid certificates may not be analyzed as rigorously as executables with no signature verification.\r\nThe certificate has since been revoked by the issuer.\r\nDuring the infection process, the LockerGoga executable is copied to the %TEMP% directory on the victim\r\nsystem and executed.\r\nTalos has also observed versions of the LockerGoga ransomware that attempt to clear the Windows Event Logs\r\nusing the following command syntax:\r\nThe ransomware then creates the ransom note and begins the encryption process. LockerGoga supports many of\r\nthe common types of files that organizations typically use to store important data. As files are encrypted, the\r\noriginals are deleted and replaced with the encrypted data, which is stored as files with the \"*.LOCKED\" file\r\nextension. Unlike many ransomware variants commonly observed, LockerGoga also encrypts the contents of the\r\nvictim's Recycle Bin directory.\r\nOne other interesting aspect of the LockerGoga variant is that the files appear to be encrypted individually. When\r\ninteracting with the sample, Talos observed commands being executed to encrypt each individual file, an example\r\nof which you can find below. This isn't commonly done since it's inefficient and creates overhead.\r\nhttps://blog.talosintelligence.com/lockergoga/\r\nPage 2 of 6\n\nLockerGoga Ransom Note Following a successful infection, the LockerGoga\r\nransomware writes a ransom note to the victim's desktop as a text file called\r\n\"README_LOCKED.txt.\" Note that, in our research, we did find another\r\ncampaign in January that was using a ransom note filename of \"README-NOW.txt.\" Opening the ransom note with Notepad reveals the following:\r\nInterestingly, unlike many of the more sophisticated ransomware variants seen in recent years, the ransom note\r\ndoes not include instructions for using a payment portal to process the ransom payment. It also does not include a\r\nhttps://blog.talosintelligence.com/lockergoga/\r\nPage 3 of 6\n\nBitcoin or Monero wallet address and simply includes instructions for contacting the malware distributor via two\r\nemail addresses that are included in the note. Talos has observed different emails listed across various samples that\r\nwere analyzed.\r\nThere also does not appear to be a dedicated command and control (C2) structure set up to facilitate remote\r\nconnectivity with the attackers. The attackers are also offering to decrypt a small number of encrypted files for\r\nfree as a way to further convince victims of the legitimacy of the operation and maximize the likelihood that the\r\nvictim will pay the ransom demand. Additionally, Talos has observed no evidence to suggest that LockerGoga has\r\nthe ability to self propagate across hosts on a network where an infection has taken place.\r\nConclusion Data is a valuable resource on all of our systems, whether that data is\r\nuser photos or corporate documents. Therefore, ransomware continues to be a\r\nsignificant threat because it enables an attacker to steal that valuable data and\r\nhold it for ransom. Talos has seen financially motivated cybercriminals using\r\nransomware in an attempt to generate a profit while other adversaries have used\r\nransomware as a cover (such as the Not Petya attack) to disrupt the operation of\r\nthe network, and hide their tracks by making forensic analysis more difficult.\r\nBetween using active exploitation, sending a threat via email or over the web, or even using stolen or bought\r\ncredentials the possibilities are virtually endless. This is where some of the basic tenets of security come into play.\r\nOrganizations increasingly need to have near real-time visibility into their endpoints in addition to the protective\r\ncapabilities that products like AMP provide. Additionally, having multi-factor authentication (MFA) like Duo,\r\nenabled on systems can help prevent initial infection or slow its spread by limiting lateral access. Following\r\nestablished best practices with regard to network architecture and proper network segmentation can also help\r\nminimize operational disruption from threats such as ransomware, wiper malware, etc. Talos will continue to\r\nmonitor this threat to ensure that customers remain protected from any evolutions that will inevitably occur.\r\nNote: This blog post discusses active research by Talos. This information should be considered preliminary and\r\nwill be updated as research continues.\r\nCoverage LockerGoga is currently detected by Cisco security products which can\r\nbe used by organizations to protect their environments from this and other\r\nransomware attacks.\r\nExample ThreatGrid Indicator Report:\r\nhttps://blog.talosintelligence.com/lockergoga/\r\nPage 4 of 6\n\nExample AMP Detection:\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection(AMP) is ideally suited to prevent the execution of the malware used by these threat\r\nactors. Try AMP for free here.\r\nhttps://blog.talosintelligence.com/lockergoga/\r\nPage 5 of 6\n\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nIndicators of Compromise The following indicators of compromise have been\r\nobserved to be associated with attacks leveraging the LockerGoga ransomware.\r\nLockerGoga Executables (SHA256):\r\nc97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15\r\n88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f\r\neda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0\r\nba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f\r\n7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26\r\nC3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a\r\nEmail Addresses from Ransom Notes MayarChenot@protonmail[.]com\r\nDharmaParrack@protonmail[.]com\r\nSayanWalsworth96@protonmail[.]com\r\nDharmaParrack@protonmail[.]com\r\nwyattpettigrew8922555@mail[.]com\r\nSuzuMcpherson@protonmail[.]com\r\nQicifomuEjijika@o2[.]pl\r\nAsuxidOruraep1999@o2[.]pl\r\nRezawyreEdipi1998@o2[.]pl\r\nAbbsChevis@protonmail[.]com\r\nIjuqodiSunovib98@o2[.]pl\r\nRezawyreEdipi1998@o2[.]pl\r\nSource: https://blog.talosintelligence.com/lockergoga/\r\nhttps://blog.talosintelligence.com/lockergoga/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/lockergoga/"
	],
	"report_names": [
		"lockergoga"
	],
	"threat_actors": [],
	"ts_created_at": 1775434737,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/277efddc38e67ef65453dca77483f1f34754cbed.pdf",
		"text": "https://archive.orkl.eu/277efddc38e67ef65453dca77483f1f34754cbed.txt",
		"img": "https://archive.orkl.eu/277efddc38e67ef65453dca77483f1f34754cbed.jpg"
	}
}