The sub-techniques beta is now live! Read the release blog post for more info.


LockerGoga is ransomware that has been tied to various attacks on European companies. It was first reported upon in January 2019.[1][2]

ID: S0372
Platforms: Windows
Version: 1.2
Created: 16 April 2019
Last Modified: 10 October 2019

Techniques Used

Domain ID Name Use
Enterprise T1531 Account Access Removal

LockerGoga has been observed changing account passwords and logging off current users.[2][1]

Enterprise T1116 Code Signing

LockerGoga has been signed with stolen certificates in order to make it look more legitimate.[3]

Enterprise T1486 Data Encrypted for Impact

LockerGoga has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key.[2][1][3]

Enterprise T1089 Disabling Security Tools

LockerGoga installation has been immediately preceded by a "task kill" command in order to disable anti-virus.[3]

Enterprise T1107 File Deletion

LockerGoga has been observed deleting its original launcher after execution.[2]

Enterprise T1105 Remote File Copy

LockerGoga has been observed moving around the victim network via SMB, indicating the actors behind this ransomware are manually copying files form computer to computer instead of self-propagating.[1]

Enterprise T1529 System Shutdown/Reboot

LockerGoga has been observed shutting down infected systems.[3]

Groups That Use This Software

ID Name References
G0037 FIN6 [4]