{
	"id": "f63a97b2-f94e-4b11-8c0b-452fb8fa0a7a",
	"created_at": "2026-04-06T00:22:37.216399Z",
	"updated_at": "2026-04-10T13:12:45.525119Z",
	"deleted_at": null,
	"sha1_hash": "bb989e7b81d4fb3c661f4867a36c4144c5fb317d",
	"title": "New LockerGoga Ransomware Allegedly Used in Altran Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2374876,
	"plain_text": "New LockerGoga Ransomware Allegedly Used in Altran Attack\r\nBy Ionut Ilascu\r\nPublished: 2019-01-30 · Archived: 2026-04-05 14:27:24 UTC\r\nHackers have infected the systems of Altran Technologies with malware that spread through the company network, affecting\r\noperations in some European countries. To protect client data and their own assets, Altran decided to shut down its network\r\nand applications.\r\nThe attack occurred on January 24, but the French engineering consultancy released a public statement only yesterday and\r\nkept details to a bare minimum, saying that third-party technical experts and digital forensics specialists are on the case.\r\nTo protect our clients, employees and partners, we immediately shut down our IT network and all applications. The security\r\nof our clients and of data is and will always be our top priority. We have mobilized leading global third-party technical\r\nexperts and forensics, and the investigation we have conducted with them has not identified any stolen data nor instances of\r\na propagation of the incident to our clients\r\nAltran allegedly hit with new LockerGoga ransomware\r\nAltran made no reference to the type of malware affecting their network, but security researcher have been following the\r\ntrail of public breadcrumbs found sufficient evidence to determine that it's a ransomware attack.\r\nhttps://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nThe first public mention of the cyberattack against Altran came in a tweet on January 25. A reply from computer security\r\nresearcher V hinted that behind the incident is a malware sample uploaded to VirusTotal.\r\nThis sample has an initial detection rate of 26 engines out of 69, but the file was quickly picked up by other antivirus\r\nproducts on VirusTotal and now 43 of them recognize the malware. The sample was first uploaded to VirusTotal on January\r\n24 from Romania and later that day it was added from the Netherlands.\r\nIf the file uploaded to Google's scanning service is same one that struck Altran's computers, then it is a ransomware called\r\nLockerGoga. This name of the threat comes from the path used for compiling the source code into an executable discovered\r\nby MalwareHunterTeam.\r\nX:\\work\\Projects\\LockerGoga\\cl-src-last\\cryptopp\\src\\rijndael_simd.cpp\r\nWhen BleepingComputer tested the ransomware, we found that it was very slow due to to how it spawned another process\r\neach time it encrypted a file. When discussing this with a security researcher named Valthek, we were told that the code was\r\nsloppy, slow, and made no effort to evade detection.\r\nAccording to security research SwitHak, the ransomware will normally target DOC, DOT, WBK, DOCX, DOTX, DOCB,\r\nXLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files.\r\nHowever, if launched with the '-w' command line argument, it will target all file types. Other switches supported are '-k' and\r\n'-m' for base 64 encoding and for providing the emails addresses to show in the ransom note.\r\nIn BleepingComputer's test, the ransomware sample launched itself with the -w argument and also spawned a new process\r\nfor each file it encrypted. This caused the encryption process to be very slow.\r\nWhen encrypting files, the ransomware will append the .locked extension to the processed files. This means that a file\r\nnamed test.jpg would be encrypted and then renamed to test.jpg.locked as illustrated in the image below.\r\nFurthermore, reports indicate that the sample may not wipe shadow volume copies, but we were not able to confirm that.\r\nWhen done encrypting data on the computer, it will drop a ransom note named README-NOW.txt on the desktop, which\r\nincludes instructions to contact the CottleAkela@protonmail.com or QyavauZehyco1994@o2.pl email addresses for\r\npayment instructions.\r\nhttps://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/\r\nPage 3 of 7\n\nAs you can see, the ransom note suggests that the malware operators target companies and offer to unlock a few files for free\r\nto prove that they have the decryption key.\r\nLockerGoga's ransom note was also seen by security researcher MalwareHunterTeam in early January, although it included\r\ndifferent ProtonMail and O2 addresses.\r\nAccording to SwitHak's attack scenario, the Romanian local team noticed the threat and checked it on VirusTotal. The\r\nnetwork connection and network shares mounted on employee systems allowed LockerGoga to spread to offices in other\r\ncountries, thus explaining the sample upload from the Netherlands.\r\nOf course, this is all conjecture and there is no hard proof to indicate that this is what happened.\r\nAnother interesting bit of information is that the \"Goga\" in the ransomware's moniker is a Romanian family name. This info\r\ntidbit coupled with the location it was first uploaded from could make one wonder if the strain had its origin in Romania.\r\nLockerGoga uses valid certificate\r\nAnalysis from Thomas Roccia, reverse engineer at McAfee, shows that the LockerGoga strain was signed with a valid\r\ncertificate, which would increase the chances of its deployment on the victim hosts without raising suspicion in most cases.\r\nHowever, someone paying attention to the Windows alert asking for authorization of the certificate would notice that\r\nsomething is not right, because it is for a host process for Windows Services and the signature is from MIKL Limited.\r\nhttps://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/\r\nPage 4 of 7\n\nThe certificate, issued by Comodo Certificate Authority (acquired by Francisco Partners and known by its new brand name\r\nSectigo) for code signing, has been revoked.\r\nA cursory check reveals that MIKL Limited is an IT consultancy firm incorporated in the UK on December 17, 2014.\r\nKnown file samples for LockerGoga ransomware are 'worker' and 'worker32.' The malware launches a process with a name\r\nsimilar to what Microsoft uses for its Windows Services, such as 'svch0st' or 'svchub.'\r\nFor those looking to detect it this family of infections using Yara, security researcher V wrote the first rule that can help\r\norganizations protect their systems from getting hit by LockerGoga ransomware.\r\nWe were told at the time of writing, that the global information systems of Altran Technologies continue to\r\nbe unavailable. BleepingComputer reached out to the Paris-based company to provide more information about the nature of\r\nthe cyberattack that impacted its operations but has not heard back by publishing time.\r\nIOCs\r\nHash:\r\n73171ffa6dfee5f9264e3d20a1b6926ec1b60897\r\nFile names:\r\nworker\r\nworker32\r\nbdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f_wQkb8SOVnc.bin\r\nsvch0st.5817.exe\r\nsvch0st.11077.exe\r\nAssociated email addresses:\r\nCottleAkela@protonmail.com\r\nQyavauZehyco1994@o2.pl\r\nRansom Note Text:\r\nGreetings!\r\n \r\nThere was a significant flaw in the security system of your company.\r\nYou should be thankful that the flaw was exploited by serious people and not some rookies.\r\nThey would have damaged all of your data by mistake or for fun.\r\nhttps://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/\r\nPage 5 of 7\n\nYour files are encrypted with the strongest military algorithms RSA4096 and AES-256.\r\nWithout our special decoder it is impossible to restore the data.\r\nAttempts to restore your data with third party software as Photorec, RannohDecryptor etc.\r\nwill lead to irreversible destruction of your data.\r\n \r\nTo confirm our honest intentions.\r\nSend us 2-3 different random files and you will get them decrypted.\r\nIt can be from different computers on your network to be sure that our decoder decrypts everything.\r\nSample files we unlock for free (files should not be related to any kind of backups).\r\n \r\nWe exclusively have decryption software for your situation\r\n \r\nDO NOT RESET OR SHUTDOWN - files may be damaged.\r\nDO NOT RENAME the encrypted files.\r\nDO NOT MOVE the encrypted files.\r\nThis may lead to the impossibility of recovery of the certain files.\r\n \r\nTo get information on the price of the decoder contact us at:\r\nCottleAkela@protonmail.com;QyavauZehyco1994@o2.pl\r\nThe payment has to be made in Bitcoins.\r\nThe final price depends on how fast you contact us.\r\nAs soon as we receive the payment you will get the decryption tool and\r\ninstructions on how to improve your systems security\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/\r\nPage 6 of 7\n\nSource: https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/\r\nhttps://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/"
	],
	"report_names": [
		"new-lockergoga-ransomware-allegedly-used-in-altran-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434957,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb989e7b81d4fb3c661f4867a36c4144c5fb317d.pdf",
		"text": "https://archive.orkl.eu/bb989e7b81d4fb3c661f4867a36c4144c5fb317d.txt",
		"img": "https://archive.orkl.eu/bb989e7b81d4fb3c661f4867a36c4144c5fb317d.jpg"
	}
}