Home Malware Programs Ransomware LockerGoga Ransomware

LockerGoga Ransomware

Posted: March 31, 2019

lockergoga ransomware industrial affectLockerGoga Ransomware is a file-locking trojan whose campaigns specialize in sabotaging Windows systems related to the industrial sector and other businesses. In addition to locking files and displaying its ransoming demands, LockerGoga Ransomware has a close relationship with backdoor attacks and may disable the infected machine's network connectivity. Updated anti-malware tools may remove LockerGoga Ransomware, and members of the relevant industries should guard their admin login credentials securely in self-defense.

Industries Are Going Gaga for This Trojan

File-locker trojans are most notorious for harming small-scale, vulnerable businesses or individual PC owners downloading spam e-mail or illegal torrents. However, a new threat that's being dubbed LockerGoga Ransomware by the MalwareHunterTeam researchers is using a different route to profit: targeting the 'big fish' that could pay the most expensive ransoms. Our malware analysts are concluding that LockerGoga Ransomware, as well, offers non-ransom-based dangers due to its potential for system communications and machinery disruption, although the latter may or may not be intentional.

LockerGoga Ransomware, like the majority of file-locking trojans, uses an individual-file-encrypting routine for blocking most of the contents of the PC, without necessarily damaging the operating system. Threat actors are installing the program after compromising valuable login credentials, including administrator-privilege ones for industrial sector entities ranging from engineering consultants to aluminum alloy manufacturers. Besides running the file-locking trojan, the attackers disable any recognizable AV software. Even by itself, LockerGoga Ransomware includes some counter-detection features, such as stolen digital certificates that pass it off as being a non-malicious program.

LockerGoga Ransomware's ransom note is, mostly, traditional, and alerts the readers of the attack and offers negotiations at an e-mail address. Although it doesn't name a price for the file-unlocking help of its threat actors, prior information gathered by the anti-malware industry estimates the costs of a decryption service at hundreds of thousands of dollars. Other, particularly serious security issues coming with the latest variants of LockerGoga Ransomware include its disabling network adapters and logging off any accounts after finishing its payload, as well as the usual self-uninstallation cleanup.

Locking Up Tight Against File-Locker Trojans

LockerGoga Ransomware has successfully infiltrated the systems of dozens of different companies, although little data is available for determining the number of ransom transactions. Since the latest versions of LockerGoga Ransomware include counter-account management features that could prevent users from logging in with their default passwords, infections pose more than a risk to 'only' the company's finances or files. They could disrupt the industrial control system or ICS that maintains safe operational environments for workers, besides affecting the target's operational capacity and bottom line.

Once of the recent variations of the LockerGoga Ransomware ransom note reads like the following:


There was a significant flaw in the security system of your company.
You should be thankful that the flaw was exploited by serious people and not some rookies.
They would have damaged all of your data by mistake or for fun.

Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.
Without our special decoder it is impossible to restore your data.
Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data.

To confirm our honest intentions.
Send us 2-3 different random files and you will get them decrypted.
It can be from different computers on your network to be sure that our decoder decrypts everything.
Sample files we unlock for free (files should not be related to any kind of backups).

We exclusively have decryption software for your situation

DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.

To get information on the price of the decoder contact us at:
The payment has to be made in Bitcoins.
The final price depends on how fast you contact us.
As soon as we receive the payment you will get the decryption tool and
instructions on how to improve your systems security

Since LockerGoga Ransomware's threat actors are leveraging stolen logins for all observable attacks, admins should maintain all appropriate precautions for keeping their usernames and passwords as secure as possible. Besides the usual steps of avoiding factory-default or short logins, employees should be careful about any interactions with e-mail attachments or links. Although the threat does contain a self-removal routine, users shouldn't bank on its triggering universally and should have anti-malware solutions for identifying any ongoing infections and removing LockerGoga Ransomware, if it's necessary.

LockerGoga Ransomware is rife with the symbiotic exploitation of related 'hacker' software, such as Cobalt and the proof-of-concept Mimikatz password stealer. Even though LockerGoga Ransomware is a very straightforwardly-programmed threat, it represents multifaceted and complex dangers to any industry organization that invites it into their systems.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to LockerGoga Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%APPDATA%\Local\Temp\tgytutrc8.exe File name: %APPDATA%\Local\Temp\tgytutrc8.exe
File type: Executable File
Mime Type: unknown/exe