Severity scale:  
  (100/100)

LockerGoga ransomware. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

LockerGoga is a ransomware-type virus that recently attacked Norwegian aluminum producer Norsk Hydro and other companies

LockerGoga ransomware
LockerGoga ransomware is the virus that marks encrypted data using .locked file extension.

LockerGoga ransomware is a file locking virus that was initially discovered after attacks were launched against European companies, such as Altran Technologies in France.[1] Most recently, malware attacked high-profile Norwegian aluminum manufacturer Norsk Hydro, stopping some production lines, crippling its IT systems across most business areas, and forcing the company to switch to manual operations instead.[2] LockerGoga ransomware works very similarly to any other crypto-viruses: locks up files using AES-256 + RSA-1024 encryption algorithms, appends a file extension (in this case – .locked) and drops a ransom-demanding message README-NOW.txt. To free the data held hostage, victims have to email hackers via CottleAkela@protonmail.com, QyavauZehyco1994@o2.pl, DharmaParrack@protonmail.com, wyattpettigrew8922555@mail.com, or other, and find out what amount of Bitcoin is required for the alleged decryptor. The price usually varies, depending on how fast the company contacts cybercriminals. The malware also does a good job at evading detection, as the initial file is digitally signed (nevertheless, the certificates are now revoked). The malware was found changing victims' passwords and locking them out of the system. LockerGoga virus has similarities with such viruses like Everbe, GusCrypter, and Vurten.

Name LockerGoga ransomware
Type Cryptovirus
First target The French engineering consultancy Altran Technologies in January 2019
Ransom note README-NOW.txt
File extension .locked
Related files hvwfcsky1377.bin, Kopya.exe, worker32, b3d3da12ca3b9efd042953caa6c3b8cd, tgytutrc7290.exe
SSL signatures Alisa LTD, Sectigo RSA Code Signing CA, USERTrust Secure, Kitty’s Ltd., Mikl Limited (all revoked)
Detected as
  • Win32:Trojan-gen
  • Ransom.crysis
  • Win32 / Filecoder.LockerGoga.A
  • TR / Crypren.lydxc
  • Trojan: Win32 / Occamy.C
  • Ransom.Enciphered
  • Etc.
Contact emails CottleAkela@protonmail.com, QyavauZehyco1994@o2.pl, DharmaParrack@protonmail.com, wyattpettigrew8922555@mail.com
Encryption algorithm RSA-1024 and AES-256
Distribution Spam email attachments, brute-force attacks
Elimination Use Malwarebytes Malwarebytes for LockerGoga ransomware removal

The first instance of this Goga ransomware virus was discovered involved the malware attack on an engineering consultancy firm that released an official press release to protect their users' data.[3] The company also shut down their network and applications because operations were already affected in some European countries due to this attack.

The victim of this LockerGoga ransomware, Altran Technologies revealed little information about the attack. Stephanie Bia stated in the press release:

On the 24th of January 2019, Altran was the target of a cyber attack affecting operations in some European countries.

To protect our clients, employees and partners, we immediately shut down our IT network and all applications. The security of our clients and of data is and will always be our top priority. We have mobilized leading global third-party technical experts and forensics, and the investigation we have conducted with them has not identified any stolen data nor instances of a propagation of the incident to our clients.

Our recovery plan is unfolding as expected and our technical teams are fully mobilized.

Throughout the process, Altran has been in contact with its clients, relevant governmental authorities and regulators.

Since LockerGoga ransomware virus is a cryptovirus, the main purpose is to encrypt files on the targeted system and then demand ransom for the alleged decryption. From the sample that has been analyzed “worker” and “worker32” are the processes this ransomware launches on the infected device. 

The initial payload, however, often comes with files that are digitally signed by Alisa Ltd., Kitty’s Ltd., or Mikl Limited. This technique can help LockerGoga virus to evade detection. Fortunately, the digital signatures have since then been invalidated.

Before engaging in any type of activities, LockerGoga ransomware makes sure that the attacked device is not a sandbox[4] or a virtual machine. It was also spotted evading machine-learning kind of AV engines and sleeping over 100 times in some cases.[5]

When the payload is launched LockerGoga ransomware starts with its encryption and uses army-grade encryption algorithms RSA-1024 and AES-256.[6] Because the virus authors target large-scale organizations, the locked files are mainly document extensions, such as .doc, .pdf, .ppt, .xlm, .xlsx, .js, .pptx, .,db, etc. (31 document extensions in total). According to research, the encryption process only takes a couple of minutes, as LockerGoga utilizes every CPU core to run the process as fast as possible.

After the enctyption process, LockerGoga ransomware drops a ransom note which reads:

Greetings!

There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun.

Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data.

To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups).

We exclusively have decryption software for your situation

DO NOT RESET OR SHUTDOWN – files may be damaged.

DO NOT RENAME the encrypted files.

DO NOT MOVE the encrypted files.

This may lead to the impossibility of recovery of the certain files.

To get information on the price of the decoder contact us at: CottleAkela@protonmail.com;QyavauZehyco1994@o2.pl The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security

LockerGoga ransomware developers encourage victims to contact them via CottleAkela@protonmail.com and QyavauZehyco1994@o2.pl, but you shouldn't do that since it may lead to permanent data and money loss. As many researchers[7] advise, you need to terminate this virus and then focus on data recovery.

It is known that LockerGoga brings some malicious files together with it. Cybersecurity experts have discovered that the data is named hvwfcsky1377.bin – Kopya.exe, b3d3da12ca3b9efd042953caa6c3b8cd. Additionally, some computer security programs such as AVG and Avast detect the virus as Win32:Trojan-gen.

According to British security researcher Kevin Beaumont, LockerGoga did the following to the infected systems:[8]

Each impacted system had three key elements:

  • They all ran Microsoft Windows.
  • Files, including some system files, had been encrypted.
  • The network interface on every system had been disabled.
  • The local user accounts on every system had their password changed.

Nevertheless, this sample comes from the renowned Norsk Hyrdo attack, so the infection type might vary.

However, when it comes to LockerGoga ransomware removal from the network of a company, you need to employ experts, IT specialists and take the internet security seriously. Professional cyber security experts can determine the damage and possible fix issues with affected data. If you as an everyday user need similar help with your encrypted files, check our software suggestions below the article.

You need to remove LockerGoga ransomware using anti-malware tools like Malwarebytes Malwarebytes because this threat installs more files on the system and affects other parts of the device. You may also benefit from virus damage removal using Reimage or similar PC repair tools.

Another high-profile LockerGoga target: Norsk Hydro

Located in Oslo, Norway, Norsk Hydro is the largest aluminum producer in the world, manufacturing almost half a million tons of the material a year. The company is also known for its activity in other sectors like solar power technologies, hydropower, and oil industry. 

LockerGoga attack on Norsk Hydro
The recent victim of LockerGoga - one of the biggest aluminum producer in the world Norsk Hydro in Norway.

The attack occurred on late Monday, January the 18th when Norsk Hydro IT staff noticed suspicious activity on the IT systems. Initially, and up till now, the company does not directly relate the compromise to LockerGaga ransomware, although Norsk Hydro CFO Eivind Kallevik did confirm that the attack is related to a file locking virus and that the situation is “quite severe.”

Norsk Hydro is now forced to switch to manual handling of the operations, and the staff is told not to log in to any IT systems. The company immediately contacted third-party security forensics to assist with the situation, and are actively trying to recover from the attack. Many workers are asked to work multiple shifts to minimize the losses. Kallevik commented to Reuters:[9]

It is mostly direct labor: some of the activities that we use computers to do, today we use manual labor. We have to add some more people.

According to him, the company is able to provide all the services and process all customer orders as usual, although it is not clear whether the future procedures will be affected, as the official website is down currently. Norsk Hydro is now focusing on continuing regular operations via manual methods, minimizing the financial and operational losses, and recovering the IT systems using backups.

Due to LockerGoga ransomware attack, the aluminum prices went up to record-high in the past three months, and the company's stock price went down by 3.4%, which later went back up by 0.8%.

Update: Norsk Hydro is recovering from the attack with the help of such sources like Microsoft

Later in March, MalwareHunterTeam discovered a new sample of LockerGoga which was also uploaded from Norway, so security team believes that it was used in the Norsk Hydro attack. This variant of the virus uses new contact details – DharmaParrack@protonmail.com and wyattpettigrew8922555@mail.com.

The company published a press release announcement[10] that explains the situation further. According to Norsk Hydro, it is recovering from the attack with the help of external parties, such as Microsoft, and are not planning on paying ransom to LockerGoga authors. Instead, the company is focusing on recovering all the crucial data from backups.

Most of the company's procedures are running as usual, although some employees are still forced to perform some manual operations. By far the biggest downfall of the attack was that the company could not access a full list of customer orders, as stated in the press conference release by Chief Financial Officer Eivind Kallevik on Thursday.[11]

Despite promising leads, Norsk Hydro did not detail anything further:

Hydro still does not have the full overview of the timeline towards normal operations, and it is still too early to estimate the exact operational and financial impact.

Despite that, based on the samples published on Virus Total and insight from multiple security researchers, it is clear that hackers managed to break-in to the company's networks and then gained access to Active Directory server. From there, the attackers spread LockerGoga ransomware laterally, as the virus does not have the capability of propagating itself on the network.

After encrypting files, LockerGoga disabled hardware (network cards) from working and also changed passwords of every account, preventing anybody from accessing their workstations. This scheme is performed in order to slow down the recovery operations, as each PC needs to be taken care of separately, instead of uploading backups from a cloud service.

According to research from Cisco Talos team,[12] LockerGoga is much closer to a destructive type of malware – wiper, rather than ransomware. Nevertheless, it is just a theory, and the real goals of hackers are only known by them.

LockerGoga Norsk Hydro recovery
Norsk Hydro said that it is recovering from the LockerGoga ransomware attack with the help of such companies like Microsoft. Nevertheless, it is still too early to estimate financial impact.

Email box may get filled with infected emails

Spam email campaigns grow to a new level when emails may even go to your regular email box directly and look legitimate and safe because malicious actors use names like DHL, FedEx, Amazon or PayPal to make the impression of legitimacy.

When you receive an email, you were not expecting to get make sure to pay more attention to details. Often subject lines like Invoice or Order information tell about the questionable content of the email, especially when the name of a service is not familiar. 

You should delete suspicious emails and avoid opening files attached because documents or PDF files can contain malicious macros or even direct payload. This is the main distribution technique when it comes to crypto malware like miners or ransomware.

Eliminate LockerGoga ransomware and check if the system is clear before other steps

We can understand that LockerGoga ransomware virus is a severe threat and file encryption is the primary concern of yours. However, we cannot stress enough how important it is to terminate all related processes and clean the device entirely before focusing on anything else.

Remove LockerGoga ransomware using anti-malware tools like Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes and scan the device fully so that all virus damage can be fixed. You can use a few tools and scan the system a few times to double-check because ransomware is a persistent cyber threat.

When the LockerGoga ransomware removal is done, you can proceed with data recovery options. The best solution for this should be data backups on the external device. However, not everyone has up-to-date backups. For this reason, we have a few suggestions of software and features on your computer that may help in file recovery.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove LockerGoga virus, follow these steps:

Remove LockerGoga using Safe Mode with Networking

Try rebooting the device in the Safe Mode with Networking before a thorough system scan:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove LockerGoga

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete LockerGoga removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove LockerGoga using System Restore

Get rid of LockerGoga ransomware using System Restore feature on your PC:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of LockerGoga. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that LockerGoga removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove LockerGoga from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by LockerGoga, you can use several methods to restore them:

Data Recovery Pro can help with encrypted files

When LockerGoga ransomware encodes your data or you accidentally delete files, Data Recovery Pro helps to restore them

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by LockerGoga ransomware;
  • Restore them.

Windows Previous Versions feature helps in file recovery

Try Windows Previous Versions feature as an alternative to file backups

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

You can use ShadowExplorer

It seems that LockerGoga ransomware is not affecting Shadow Volume Copies. If so, you can restore data with ShadowExplorer

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption is not available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from LockerGoga and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References

Removal guides in other languages