Register to stream ATT&CKcon 2.0 October 29-30


LockerGoga is ransomware that has been tied to various attacks on European companies. It was first reported upon in January 2019.[1][2]

ID: S0372
Platforms: Windows
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing LockerGoga has been signed with stolen certificates in order to make it look more legitimate. [3]
Enterprise T1486 Data Encrypted for Impact LockerGoga has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key. [2] [1] [3]
Enterprise T1089 Disabling Security Tools LockerGoga installation has been immediately preceded by a "task kill" command in order to disable anti-virus. [3]
Enterprise T1107 File Deletion LockerGoga has been observed deleting its original launcher after execution. [2]
Enterprise T1105 Remote File Copy LockerGoga has been observed moving around the victim network via SMB, indicating the actors behind this ransomware are manually copying files form computer to computer instead of self-propagating. [1]

Groups That Use This Software

ID Name References
G0037 FIN6 [4]