{ "id": "b840c285-a117-4674-b401-0bfbc3b85574", "created_at": "2026-04-06T00:13:59.51261Z", "updated_at": "2026-04-10T03:21:32.734297Z", "deleted_at": null, "sha1_hash": "a41fb255e37075d76e9e5e6be95d5a08b4188ad2", "title": "What You Need to Know About the LockerGoga Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 245565, "plain_text": "What You Need to Know About the LockerGoga Ransomware\r\nArchived: 2026-04-05 18:29:17 UTC\r\nThe systems of Norwegian aluminum manufacturing\r\ncompany Norsk Hydro were reportedly struck last Tuesday, March 19, by LockerGoga ransomware. In a statement posted\r\non their Facebook page, Norsk Hydro noted their “lack of ability to connect to the production systems causing production\r\nchallenges and temporary stoppage at several plants.” The other plants, which had to be kept running, were forced to\r\nswitchnews article to manual operations.\r\nTrend Micro’s solutions, such as Trend Micro™ Securityproducts, Smart Protection Suites, and Worry-Free™ Business\r\nSecurity, actively detect and block LockerGoga. Trend Micro detects the ransomware and its variants as\r\nRansom.Win32.LOCKERGOGA.THBOGAIopen on a new tab, Ransom.Win32.LOCKERGOGA.AAopen on a new tab,\r\nand Ransom.Win64.LOCKERGOGA.A. Our in-depth analysis of LockerGoga is still ongoing, and we will update this FAQ\r\nas we uncover more details on this threat.\r\nHere’s what you need to know about the LockerGoga ransomware:\r\nHow does it arrive in the system?\r\nFurther research into LockerGoga revealed that the ransomware was dropped and executed by a renamed PsExec tool. It is\r\nthe same system administration toolopen on a new tab abused by various ransomware such as SOREBRECTopen on a new\r\ntab and Bad Rabbitopen on a new tab. This could mean that the network was already compromised, and that the attackers\r\nconducted lateral movement. Since PsExec requires credentials to work, the attackers may have already obtained the\r\ncredentials either through brute force, spearphishingopen on a new tab, or a previous malware infection or attack.\r\nLockerGoga's destructive routines could also provide clues on how it is distributed. Since the ransomware neither gives the\r\nvictims a chance to recover the files nor specifically asks for payment, LockerGoga's distribution was likely targeted and\r\nintended to disrupt operations.\r\nIs LockerGoga a new ransomware family?\r\nLockerGoga first made the news in January this year after it was reportedlynews article used on an attack on Altran\r\nTechnologies, an engineering consultancy company based in France. According to the company's press releasenews article,\r\nAltran Technologies shut down its IT networks and all applications to mitigate the threat. It also affected its operations in\r\nsome countries in Europe.\r\nWhat happens once LockerGoga infects a system?\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware\r\nPage 1 of 6\n\nOnce installed, LockerGoga modifies the user accounts in the infected system by changing their passwords. It also tries to\r\nlog off users logged in to the system. It would then relocate itself into a temp folder then rename itself using the command\r\nline (cmd). The command-line parameter used does not contain the file paths of the files targeted for encryption.\r\nLockerGoga encrypts files stored on systems such as desktops, laptops, and servers. Each time LockerGoga encrypts a file, a\r\nregistry key (HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\RestartManager\\Session00{01-20}) is modified. After the\r\nencryption process, LockerGoga leaves a ransom note in a text file (README_LOCKED.txt) in the desktop folder.\r\nopen on a new tab\r\nSnapshot of LockerGoga’s code showing the list of file extensions targeted for encryption\r\nHow does LockerGoga spread?\r\nInitial analysis showed that LockerGoga, by itself, doesn’t appear to have the capability to propagate like WannaCrynews-cybercrime-and-digital-threats or Petya/NotPetyanews- cybercrime-and-digital-threats.\r\nStatic analysis also revealed that LockerGoga enumerates the infected system’s Wi-Fi and/or Ethernet network adapters. It\r\nwill then attempt to disable them through the CreateProcessW function via command line (netsh.exe interface set interface\r\nDISABLE) to disconnect the system from any outside connection. LockerGoga runs this routine after its encryption process\r\nbut before it logs out the current account. This is a notable behavior. Its file encryption routine could be considered less\r\nconsequential since LockerGoga already locks the user out of the system by changing the accounts’ passwords.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware\r\nPage 2 of 6\n\nopen on a new tab open on a new tab\r\nSnapshot of LockerGoga’s code showing how LockerGoga disables the infected system's network adapter\r\nHow could LockerGoga evade traditional security solutions?\r\nLockerGoga’s code is digitally signed using various valid certificates — Alisa Ltd., Kitty’s Ltd., and Mikl Limited. These\r\ncertificates have since been revokednews article. Using a valid certificate could let the ransomware into the system.\r\nLockerGoga doesn’t have network traffic, which can let it sidestep network-based defenses.\r\nLockerGoga also has routines that can evade sandboxesnews article and virtual machines (VMs). The main process thread\r\nfor some of LockerGoga’s variants, for example, sleeps over 100 times before it executes. This is a technique used by\r\nvarious ransomware families and other threats, such as those used in targeted attacks. There are also some variants of\r\nLockerGoga that evade machine learning-based detection engines. We are still verifying these anti-sandbox and anti-machine learning capabilities in particular variants. This tactic isn’t new: some Cerber ransomware variants, for instance, are\r\nknown to have similar techniques. \r\nWhat file types does LockerGoga encrypt?\r\nLockerGoga’s encryption process is instance-based, which is unusual compared to most ransomware families. This means\r\nthat the ransomware spawns one process for each file that it encrypts. Some variants, however, encrypt more than one file\r\nper spawned process. LockerGoga encrypts documents and PDFs, spreadsheets and PowerPoint files, database files, and\r\nvideos, as well as JavaScript and Python files. Here are some of the file extensions that LockerGoga targets to encrypt: .doc,\r\n.dot, .docx, .docb, .dotx, .wkb, .xlm, .xml, .xls, .xlsx, .xlt, .xltx, .xlsb, .xlw, .ppt, .pps, .pot, .ppsx, .pptx, .posx, .potx, .sldx, .pdf,\r\n.db, .sql, .cs, .ts, .js, .py.\r\nSome of the variants of LockerGoga have certain parameters that include, but are not limited to: Encrypting a specific file,\r\nerasing a file, the email used in the ransom note, and even encryption of all file types.\r\nIn some of the samples we analyzed, LockerGoga prevents the victim from booting the infected system if it is restarted.\r\nLockerGoga’s encryption process has little to no whitelist. This means that it will also encrypt Windows Boot Manager\r\n(BOOTMGR), which helps start the operating system. The image below shows the message displayed after an infected\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware\r\nPage 3 of 6\n\nsystem is restarted.\r\nopen on a new tab\r\nThe prompt displayed by an infected system after being restarted\r\nCan systems and files encrypted by LockerGoga be decrypted?\r\nAt this time, there is no known way to unlock or decrypt systems and files encrypted by LockerGoga. It's worth noting that,\r\ncompared to other ransomware families, some LockerGoga variants do not have a list of files to encrypt, and all of the\r\nvariants that we have found do not allow an infected system to function well enough for the victim to pay the ransom or use\r\na decryption tool.\r\nIs LockerGoga a targeted attack?\r\nThere are no clear-cut indications that LockerGoga was used as part of an actual targeted attack, unlike the way attackers\r\nlikely used Ryuk ransomwarenews- cybercrime-and-digital-threats. On the other hand, LockerGoga could be used and\r\ndeployed to attack systems of certain targets, similar to the way HDDCryptor, Erebus Linux ransomware, and Crysis were\r\nused. LockerGoga, for instance, neither has network and command-and-control (C\u0026C) activities nor relies on a C\u0026C server\r\nto generate encryption keys, both of which are typical in cybercrime-driven ransomware attacks.\r\nDoes LockerGoga have any connection to the Ryuk ransomware?\r\nWhile both ransomware families could be said to have been used against specific targets, LockerGoga doesn’t appear to\r\nhave direct links to the Ryuk ransomwarenews- cybercrime-and-digital-threats. For example, LockerGoga lacks certain\r\nroutines that Ryuk has, such as network propagation and information theft. Here’s a comparison between LockerGoga and\r\nRyuk:\r\n  Ryuk LockerGoga\r\nSHA-1 f047f4f4aa45c4ad3f158462178c0cfcc7373fe2\r\n37cdd1e3225f8da596dc13779e902d8d13637360\r\nb5fd5c913de8cbb8565d3c7c67c0fbaa4090122b\r\nPlatform Windows NT Windows NT\r\nCompiler Microsoft Visual C++ Microsoft Visual C++ (2015)\r\nRansom\r\nNote\r\nRyukReadMe.txt\r\nREADME-NOW.txt, README_LOCKED.txt\r\n(depends on variant)\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware\r\nPage 4 of 6\n\nInstallation\r\nFilename as is; executed from execution directory;\r\ninjected in all running processes except csrss.exe,\r\nexplorer.exe, and lsaas.exe\r\nDropped as %TEMP%\\svc{random}.{random\r\nnumber}.exe; executed as\r\n%TEMP%\\svc{random}.{random number}.exe -\r\n{random} -{random} {random}\r\n%TEMP%\\tgytutrc{4 Random Numbers}.exe\r\nExtension\r\nappended to\r\nencrypted\r\nfiles\r\n.ryk .locked\r\nProcess\r\nTerminations\r\nStops AV-related processes or services, SQL-related\r\napplications, backup management software services, and\r\nMicrosoft Office processes\r\nStartup\r\nRoutine\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nand svchos = {filepath as is \\ filename as is}\r\nFiles\r\nEncrypted\r\nDocuments, images, spreadsheets, and PDFs except\r\nthose in these folders: $Recycle.Bin, Windows, Mozilla,\r\nChrome, AhnLab\r\nDocuments, spreadsheets, slideshows, media,\r\nand scripts among others, except in %Program\r\nFiles%, %ProgramData%, %System\r\nRoot%\\Recycle Bin, and %System Root%\\Boot\r\nNotable\r\nBehavior\r\nDeletes all Shadow Volume copies via vssadmin.exe and\r\n/all /Quiet\r\nModifies passwords of all user accounts\r\nEncryption\r\nAlgorithm\r\nRSA-4096 and AES-256 encryption algorithms Crypto++\r\nFile\r\nStructure\r\nNot Packed Not Packed\r\nHow can users and businesses defend against LockerGoga?\r\nHere are some of the best practicesnews- cybercrime-and-digital-threats against ransomware like LockerGoga:\r\nRegularly back up filesnews article.\r\nKeep systems and applications updated, or use virtual patchingnews article for legacy or unpatchable systems and\r\nsoftware.\r\nEnforce the principle of least privilege: Secure system administrations toolsnews- cybercrime-and-digital-threats that\r\nattackers could abuse; implement network segmentationnews article and data categorizationnews article to minimize\r\nfurther exposure of mission-critical and sensitive data; disable third-party or outdated components that could be used\r\nas entry points.\r\nSecure email gatewaysnews- cybercrime-and-digital-threats to thwart threats via spam and avoid opening suspicious\r\nemails.\r\nImplement defense in depth: Additional layers of security like application controlproducts and behavior\r\nmonitoringproducts helps thwart unwanted modifications to the system or execution of anomalous files.\r\nFoster a culture of security in the workplace.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware\r\nPage 5 of 6\n\nUpdated as of March 20, 2019, 8:20PM PDT to clarify the following details: how LockerGoga disables the infected system's\r\nnetwork adapter; the use of RDP; deletion of backups; and file extensions targeted for encryption.\r\nUpdated as of March 28, 2019, 11:06PM PDT to add possible arrival methods and new updates on some other variants\r\nanalyzed.\r\nUpdated as of April 11, 2019, 12:17AM PDT to clarify a subheading about LockerGoga being used as part of a targeted\r\nattack.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware" ], "report_names": [ "what-you-need-to-know-about-the-lockergoga-ransomware" ], "threat_actors": [], "ts_created_at": 1775434439, "ts_updated_at": 1775791292, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a41fb255e37075d76e9e5e6be95d5a08b4188ad2.pdf", "text": "https://archive.orkl.eu/a41fb255e37075d76e9e5e6be95d5a08b4188ad2.txt", "img": "https://archive.orkl.eu/a41fb255e37075d76e9e5e6be95d5a08b4188ad2.jpg" } }