Severity scale:  
  (90/100)

LockerGoga ransomware. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

LockerGoga ransomware is the cryptovirus that focuses on targeting companies

LockerGoga ransomware
LockerGoga ransomware is the virus that marks encrypted data using .locked file extension.

LockerGoga ransomware is the threat that was discovered after the initial attack on some companies in Europe. The first attack that revealed the activity of this virus was targeted on the system of Altran Technologies.[1] Various operations in European countries were affected due to this attack. After the incident, the company released an official statement to protect ITS clients and their data. This threat is working as any other cryptovirus – by encrypting files and demanding a ransom payment. According to the ransom note – README-NOW.txt, RSA4096 and AES-256 algorithms get used in the file-locking process. This text file is placed on the system when data gets encoded and marked using .locked file appendix. Since this ransomware mainly targets companies, the amount for the alleged decryption may depend on the scale of a target itself. However, paying is not a good idea, and the best solution is to employ professional tools and remove this virus ASAP. 

Name LockerGoga ransomware
Type Cryptovirus
First target The French engineering consultancy Altran Technologies
Ransom note README-NOW.txt
File extension .locked
Related files hvwfcsky1377.bin – Kopya.exe, b3d3da12ca3b9efd042953caa6c3b8cd
Detected as  Win32:Trojan-gen.
Contact emails CottleAkela@protonmail.com and QyavauZehyco1994@o2.pl
Encryption algorithm RSA4096 and AES-256
Distribution Spam email attachments
Elimination Use Malwarebytes Malwarebytes for LockerGoga ransomware removal

The first instance of this Goga ransomware virus was discovered involved the malware attack on an engineering consultancy firm that released an official press release to protect their users' data.[2] The company also shut down their network and applications because operations were already affected in some European countries due to this attack.

The victim of this LockerGoga ransomware, Altran Technologies revealed little information about the attack. Stephanie Bia stated in the press release:

On the 24th of January 2019, Altran was the target of a cyber attack affecting operations in some European countries.

To protect our clients, employees and partners, we immediately shut down our IT network and all applications. The security of our clients and of data is and will always be our top priority. We have mobilized leading global third-party technical experts and forensics, and the investigation we have conducted with them has not identified any stolen data nor instances of a propagation of the incident to our clients.

Our recovery plan is unfolding as expected and our technical teams are fully mobilized.

Throughout the process, Altran has been in contact with its clients, relevant governmental authorities and regulators.

Since LockerGoga ransomware virus is a cryptovirus, the main purpose is to encrypt files on the targeted system and then demand ransom for the alleged decryption. From the sample that has been analyzed “worker” and “worker32” are the processes this ransomware launches on the infected device. 

When the payload is launched LockerGoga ransomware starts with its encryption and uses army-grade encryption algorithms RSA4096 and AES-256.[3] When photos, documents, videos, audio files or archives get encoded data gets marked with .locked file appendix, and the lengthy ransom note appears on every folder containing locked data. 

Here is the LockerGoga ransomware ransom text message:

Greetings!

There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun.

Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data.

To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups).

We exclusively have decryption software for your situation

DO NOT RESET OR SHUTDOWN – files may be damaged.

DO NOT RENAME the encrypted files.

DO NOT MOVE the encrypted files.

This may lead to the impossibility of recovery of the certain files.

To get information on the price of the decoder contact us at: CottleAkela@protonmail.com;QyavauZehyco1994@o2.pl The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security

LockerGoga ransomware developers encourage victims to contact them via CottleAkela@protonmail.com and QyavauZehyco1994@o2.pl, but you shouldn't do that since it may lead to permanent data and money loss. As many researchers[4] advise, you need to terminate this virus and then focus on data recovery.

It is known that LockerGoga brings some malicious files together with it. Cybersecurity experts have discovered that the data is named hvwfcsky1377.bin – Kopya.exe, b3d3da12ca3b9efd042953caa6c3b8cd. For further information, some computer security programs such as AVG and Avast detect the virus as Win32:Trojan-gen.

However, when it comes to LockerGoga ransomware removal from the network of a company, you need to employ experts, IT specialists and take the internet security seriously. Professional cyber security experts can determine the damage and possible fix issues with affected data. If you as an everyday user need similar help with your encrypted files, check our software suggestions below the article.

You need to remove LockerGoga ransomware using anti-malware tools like Malwarebytes Malwarebytes because this threat installs more files on the system and affects other parts of the device. You may also benefit from virus damage removal using Reimage or similar PC repair tools.

Email box may get filled with infected emails

Spam email campaigns grow to a new level when emails may even go to your regular email box directly and look legitimate and safe because malicious actors use names like DHL, FedEx, Amazon or PayPal to make the impression of legitimacy.

When you receive an email, you were not expecting to get make sure to pay more attention to details. Often subject lines like Invoice or Order information tell about the questionable content of the email, especially when the name of a service is not familiar. 

You should delete suspicious emails and avoid opening files attached because documents or PDF files can contain malicious macros or even direct payload. This is the main distribution technique when it comes to crypto malware like miners or ransomware.

Eliminate LockerGoga ransomware and check if the system is clear before other steps

We can understand that LockerGoga ransomware virus is a severe threat and file encryption is the primary concern of yours. However, we cannot stress enough how important it is to terminate all related processes and clean the device entirely before focusing on anything else.

Remove LockerGoga ransomware using anti-malware tools like Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes and scan the device fully so that all virus damage can be fixed. You can use a few tools and scan the system a few times to double-check because ransomware is a persistent cyber threat.

When the LockerGoga ransomware removal is done, you can proceed with data recovery options. The best solution for this should be data backups on the external device. However, not everyone has up-to-date backups. For this reason, we have a few suggestions of software and features on your computer that may help in file recovery.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove LockerGoga virus, follow these steps:

Remove LockerGoga using Safe Mode with Networking

Try rebooting the device in the Safe Mode with Networking before a thorough system scan:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove LockerGoga

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete LockerGoga removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove LockerGoga using System Restore

Get rid of LockerGoga ransomware using System Restore feature on your PC:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of LockerGoga. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that LockerGoga removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove LockerGoga from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by LockerGoga, you can use several methods to restore them:

Data Recovery Pro can help with encrypted files

When LockerGoga ransomware encodes your data or you accidentally delete files, Data Recovery Pro helps to restore them

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by LockerGoga ransomware;
  • Restore them.

Windows Previous Versions feature helps in file recovery

Try Windows Previous Versions feature as an alternative to file backups

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

You can use ShadowExplorer

It seems that LockerGoga ransomware is not affecting Shadow Volume Copies. If so, you can restore data with ShadowExplorer

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption is not available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from LockerGoga and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References