Magnifying glass

Ransom.LockerGoga

Short bio

Ransom.LockerGoga is Malwarebytes’ detection name for aransomwarethat is primarily used in targeted, and very disruptive attacks.

Symptoms

Ransom.LockerGoga encrypts files on the affected system and adds the .locked extension to the encrypted files.
Ransom.LockerGoga shows a ransom note called README_LOCKED.txt

Ransom.LockerGoga ransom note

Users of affected systems may also find themselves locked out because their login credentials were changed.

Type and source of infection

Ransomware is a form of malware that locks you out of your device and/or encrypts your files, then forces you to pay a ransom to get them back.
Ransom.LockerGoga is typically delivered by a targeted attack using login credentials that the threat actor somehow got hold of.

Aftermath

Besides the encrypted files of the filetypes:

.doc, .dot, .docx, .docb, .dotx, .wkb, .xlm, .xml, .xls, .xlsx, .xlt, .xltx, .xlsb, .xlw, .ppt, .pps, .pot, .ppsx, .pptx, .posx, .potx, .sldx, .pdf, .db, .sql, .cs, .ts, .js, and .py

users my find that they have been locked out of their systems because their credentials were changed by the threat actor.

Protection

必威平台APP伪安全保护用户免受赎金。LockerGogaby using real-time protection.

Malwarebytes blocks Ransom.LockerGoga

Malwarebytes blocks Ransom.LockerGoga

Business remediation

Malwarebytes can detect and remove Ransom.LockerGoga on business machines without further user interaction.
To remove Ransom.LockerGoga using Malwarebytes business products, follow the instructions below.

How to remove Ransom.LockerGoga with Malwarebytes Endpoint Protection

  1. Go to the Malwarebytes Cloud console.
  2. To allow you to invoke a scan while the machine is off the network, go toSettings>Policies>your policy>General.
  3. UnderEndpoint Interface Options, turn ON:
    1. Show Malwarebytes icon in notification area
    2. Allow users to run a Threat Scan (all threats will be quarantined automatically)

If you have infected machines that are not registered endpoints in Malwarebytes Endpoint Protection, you can remove Ransom.LockerGoga with our Breach Remediation tool (MBBR).

  1. Log into yourMy Account pageand copy your license key. The key is needed to activate MBBR tool.
  2. Open your Cloud console.
  3. From a clean and safe machine, go toEndpoints > Add > Malwarebytes Breach Remediation.This will download the MBBR zip package.
  4. Unzip the package.
  5. Access a Windows command line prompt and issue the following commands:
    mbbr register –key:
    mbbr update
    Note: You must substitute your license key for .
  6. Copy the MBBR folder to a flash drive.
  7. From an infected, offline machine, copy the MBBR folder from the flash drive.
  8. Start a scan using the following command:
    mbbr scan –full –ark –remove –noreboot
  9. Refer to theMalwarebytes Breach Remediation Windows Administrator Guidefor all supported scanning commands.

If the ransomware has encrypted some files before the behavioral detection kicked in, you can use the rollback feature (if available) to retrieve the files.

Consumer remediation

Malwarebytes can detect and remove Ransom.LockerGoga without further user interaction.

  1. Pleasedownload Malwarebytesto your desktop.
  2. Double-clickMBSetup.exeand follow the prompts to install the program.
  3. When yourMalwarebytes for Windowsinstallation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on theGet startedbutton.
  5. ClickScanto start aThreat Scan.
  6. ClickQuarantineto remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

但是注意,删除这ransomwaredoes not decrypt your files. You can only get your files back from backups you made before the infection happened.

Traces/IOCs

Mutex:
MX-tgytutrc

Files:
%APPDATA%\Local\Temp\tgytutrc8.exe
%APPDATA%\Local\Temp\tgytutrc{4 Random Numbers}.exe

E-mail addresses used:
AbbsChevis@protonmail.com
AperywsQaroci@o2.pl
AsuxidOruraep1999@o2.pl
CottleAkela@protonmail.com
CouwetIzotofo@o2.pl
DharmaParrack@protonmail.com
DutyuEnugev89@o2.pl
IjuqodiSunovib98@o2.pl
MayarChenot@protonmail.com
PhanthavongsaNeveyah@protonmail.com
QicifomuEjijika@o2.pl
QyavauZehyco1994@o2.pl
RezawyreEdipi1998@o2.pl
RomanchukEyla@protonmail.com
SayanWalsworth96@protonmail.com
SchreiberEleonora@protonmail.com
SuzuMcpherson@protonmail.com
wyattpettigrew8922555@mail.com

Related blog content

All about ransomware

What to do to recover from a cyberattack

Select your language