Skip to content

S0372 LockerGoga

LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.21

Item Value
ID S0372
Associated Names
Version 2.0
Created 16 April 2019
Last Modified 21 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1531 Account Access Removal LockerGoga has been observed changing account passwords and logging off current users.12
enterprise T1486 Data Encrypted for Impact LockerGoga has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key.123
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools LockerGoga installation has been immediately preceded by a “task kill” command in order to disable anti-virus.3
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion LockerGoga has been observed deleting its original launcher after execution.1
enterprise T1570 Lateral Tool Transfer LockerGoga has been observed moving around the victim network via SMB, indicating the actors behind this ransomware are manually copying files form computer to computer instead of self-propagating.2
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing LockerGoga has been signed with stolen certificates in order to make it look more legitimate.3
enterprise T1529 System Shutdown/Reboot LockerGoga has been observed shutting down infected systems.3

Groups That Use This Software

ID Name References
G0037 FIN6 4


Back to top