{ "id": "9ce52f4e-c0f8-49f5-8f5b-698f34692531", "created_at": "2026-04-29T02:21:31.7874Z", "updated_at": "2026-04-29T08:22:58.969574Z", "deleted_at": null, "sha1_hash": "8ecd88f31d460850ff7b7dfb46a09e1dc045b2a1", "title": "Spyware Stealer Locker Wiper: LockerGoga Revisited", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47567, "plain_text": "Spyware Stealer Locker Wiper: LockerGoga Revisited\r\nBy Dragos, Inc.\r\nPublished: 2020-03-17 · Archived: 2026-04-29 02:11:40 UTC\r\nThis blog summarizes Principal Adversary Hunter Joe Slowik’s whitepaper, “Spyware Stealer Locker Wiper:\r\nLockerGoga Revisited.”\r\nLockerGoga ransomware severely impacted the Norwegian metals giant, Norsk Hydro, and provides a blueprint\r\nfor malicious entities to weaponize ransomware variants for disruptive purposes. The Norsk Hydro event\r\nincorporated unique disruptive characteristics calling into question whether the attackers ever intended to decrypt\r\nsystems after infection. Insufficient data exists to adequately disposition Norsk Hydro as a state-sponsored\r\ndisruption event instead of a financially motivated criminal exercise. Ransomware has destructive capability, and\r\nrepurposed ransomware may allow for nation-states to hide behind criminal activity and prevent victims from\r\nreporting incidents.\r\nLockerGoga first emerged in January 2019 with a ransomware event at French engineering company Altran\r\nTechnologies.\r\nInstead of introducing a self-propagating file into the network, the Altran incident involved an extensive,\r\ninteractive breach by an unknown entity leveraging publicly and commercially available tools, such as Metasploit,\r\nPowerShell Empire, Cobalt Strike, and PSExec, to move laterally through the network. LockerGoga encrypts all\r\nfiles outside Program Files and operating system directories. Attackers can hold an entire network hostage,\r\nnegotiating for decryption of the entire victim space, rather than providing per-host decryption instructions\r\nthrough a set price and reference to a Bitcoin or related cryptocurrency wallet.\r\nFollowing events at Altran, there were no recorded or public sightings of LockerGoga until 19 March 2019 when\r\nNorwegian power and aluminum company, Norsk Hydro, faced a crippling cyberattack. Norsk Hydro was able to\r\nresume reduced operations by placing impacted industrial and production systems in manual operations mode.\r\nReporting from the Norwegian CERT indicated LockerGoga execution was enabled by a widespread compromise\r\nof Norsk Hydro’s Windows Active Directory (AD) instance. Unknown entities managed to spoof legitimate\r\ncommunication with a Norsk Hydro customer and used this to deliver a malicious attachment matching expected\r\ncommunication with Norsk Hydro itself. Multiple versions of LockerGoga may have been active in the Hydro\r\nenvironment simultaneously, including variants similar to the previous types performing encrypt-only operations.\r\nThe attack itself took place the day after Hydro announced its existing CEO was stepping down to be replaced by\r\nan internal candidate. Norwegian reporting indicated that multiple Norwegian companies were targeted by the\r\nsame entity responsible for the Hydro event, and that these entities were able to thwart the attackers based on\r\nquick information sharing from Norsk Hydro with Norwegian authorities.\r\nApproximately one month after the Norsk Hydro event, indications emerged that LockerGoga intrusions might be\r\ntied to a single entity, FireEye-designated FIN6, also responsible for some Ryuk ransomware events. Examination\r\nindicates the link to FIN6 appears to be a replication or extension of previously cited work surrounding criminal\r\nhttps://www.dragos.com/blog/industry-news/spyware-stealer-locker-wiper-lockergoga-revisited/\r\nPage 1 of 3\n\nactivity deploying LockerGoga and Ryuk by the French CERT. Reports also exclusively cover LockerGoga\r\nvariants performing encryption-only operations, instead of the more disruptive variant at Norsk Hydro. One\r\npossibility behind LockerGoga’s sudden rise and equally sudden disappearance is that the entity behind the\r\nmalware simply evolved or modified capabilities, especially after a very high-profile event such as Norsk Hydro.\r\nWhile there are superficial similarities between the malware families, and they have been referenced together in\r\npublic alerts on ransomware activity, available evidence supports only a tangential connection at best between the\r\ntwo.\r\nFrom a propagation standpoint, ransomware authors and those deploying malware in many cases shifted network\r\ncompromise from the use of self-spreading tools to more deliberate, interactive compromise of victim\r\nenvironments. This trend is observed in the “big game hunting” type of intrusions associated with Ryuk,\r\nLockerGoga, and MegaCortex (among others), where attackers compromise the network then use the resulting\r\naccess to seed ransomware for future coordinated execution. The shift from per-host victim encryption to per-network encryption schemas where entire organizations are impacted provides a means to achieve widespread\r\ndisruption without having to “fake” the existence of a decryption mechanism.\r\nMalware is a tool to obtain an objective, and when combined with concerns over attribution (and potential\r\nretaliation), an attack that is minimally complex while avoiding assignment of blame can be effective in achieving\r\nan attacker’s goals. The degree of alterations can be relatively minimal, requiring alterations to encrypt or disable\r\nsystems (such as NotPetya’s MBR/MFT capability, or the Norsk Hydro LockerGoga variant’s forced reboot after\r\ndisabling network connectivity and changing credentials) to achieve disruptive goals. As campaigns become more\r\nharmful and more brazen, governments are increasingly willing to publicly condemn attackers and impose a\r\ndegree of cost on entities. By providing a means to not only obfuscate attribution but to redirect blame to likely\r\ncriminal elements, a ransomware-as-disruptor pattern is ideally placed to enable actions in locations such as the\r\nU.S. or Europe while avoiding likely consequences.\r\nOrganizations may publicly declare willingness to work with governmental partners, but when such cooperation\r\ncomes with potential risks of leaks, disclosures, or impacts to reputation, the cooperation may be very shallow or\r\neffectively non-existent. Pharmaceutical giant Merck, food products manufacturer Mondelez, and other entities\r\nattempted to recoup losses via insurance policies which included coverage for cyber events. All claims were\r\ndenied due to “act of war” provisions in the policies exempting such actions from coverage. In NotPetya-related\r\ncases, information enabled insurance companies to invoke war exemptions in policies derived from government\r\nreporting and condemnation of the event as a Russia-directed effort. In this environment, if a company has even\r\nthe slightest thought that circumstances were brought about by a possible state-sponsored attack, financial\r\nincentives would argue for sharing as little technical and related information as possible that could be used to\r\nmake such a case of state-sponsored attribution public. Incentives due to financial penalties or losses means a\r\npotential state-sponsored or directed actor has significant space to operate directly in view of government\r\nauthorities (or commercial security vendors) charged with safeguarding entities under their control or protection.\r\nWhile insufficient evidence exists to definitively determine that the Norsk Hydro event was truly a disruptive\r\nattack instead of another (if spectacular) ransomware event, details showcase items that forecast potential\r\ndevelopments in the field of cyberwarfare. The combination of a modification of existing ransomware, increased\r\ndisruptive impacts from such malware, and targeting and timing specification provide a blueprint for how a state-directed adversary could utilize criminal tooling to execute deniable, but effective, disruptive operations.\r\nhttps://www.dragos.com/blog/industry-news/spyware-stealer-locker-wiper-lockergoga-revisited/\r\nPage 2 of 3\n\nSource: https://www.dragos.com/blog/industry-news/spyware-stealer-locker-wiper-lockergoga-revisited/\r\nhttps://www.dragos.com/blog/industry-news/spyware-stealer-locker-wiper-lockergoga-revisited/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.dragos.com/blog/industry-news/spyware-stealer-locker-wiper-lockergoga-revisited/" ], "report_names": [ "spyware-stealer-locker-wiper-lockergoga-revisited" ], "threat_actors": [ { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-29T06:58:57.721901Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-29T06:58:57.881964Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-29T06:58:57.520777Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-29T06:58:56.226224Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "White Giant", "GOLD FRANKLIN", "ATK88", "G0037", "Camouflage Tempest", "TA4557", "Storm-0538", "SKELETON SPIDER", "ITG08", "MageCart Group 6" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1777429291, "ts_updated_at": 1777450978, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8ecd88f31d460850ff7b7dfb46a09e1dc045b2a1.pdf", "text": "https://archive.orkl.eu/8ecd88f31d460850ff7b7dfb46a09e1dc045b2a1.txt", "img": "https://archive.orkl.eu/8ecd88f31d460850ff7b7dfb46a09e1dc045b2a1.jpg" } }