Lockergoga is a nasty breed of ransomware that causes paralysis in industrial firms. Among its first targets was the Norwegian aluminum manufacturer Norsk Hydro. Its attack forced the company to switch many of its operations to manual. Other victims of the malware entity are the French engineering consulting firm Altran and the manufacturing companies Hexion and Momentive.
What Can the Lockergoga Ransomware Do?
Cybersecurity researchers note that the Lockergoga ransomware is very disruptive and is intended to cause chaos instead of making money for the criminals behind it. That is to say that its main goal could be sabotage of industrial firms.
While on the attack mode, Lockergoga does not use any obfuscation or evasion tactics that are commonly used by other malware entities. The only thing that is encoded is the RSA key that is used in the final stages of the attack. This suggests that the attackers behind the malware most likely have insider knowledge on the security measures that are deployed by their target firms. It is what gives cybercriminals the confidence to deploy a malware entity that have little to no focus on stealth.
LockerGoga does, however, depend on a digitally-signed code by trusted security companies that is able to fool systems into allowing the malware to run its malicious code. The digital certificates that initially allowed this to happen have since been revoked.
The malware entity can also evade sandboxes and virtual machines by staying idle for extended periods of time. Some versions of Lockergoga can also evade machine learning-based detection systems, a technique that is also used by other ransomware strains.
Lockergoga malware
Once it has successfully infiltrated a device, the Lockergoga malware changes the passwords and login details of various account holders. It will also try to log out users who are already logged in the system.
Following this, the malware relocates itself to the temp folder where it renames itself using the command line. Lockergoga then encrypts the files that are stored across the entire network or the section of the network of computers that it is able to infect but has code that protects its own files and folders from infection. Every time that the malware infects a file, it changes the following registry key (HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session00{01-20}).
Finally, the ransomware leaves a README_LOCKED.txt that details the ransom terms and conditions. The ransom note warns the victims against shutting down their computers, renaming the encrypted files, or moving the encrypted files because as the note points out, such actions may make it impossible to recover the documents.
Lockergoga is also different from other ransomware strains because it doesn’t state the ransom amount that needs to be paid. The note only states that those who make the contact early will get more favorable terms.
How to Remove the Lockergoga Ransomware
The Lockergoga ransomware constitutes a very severe threat against industrial systems and manufacturers in general. That is why it is important to terminate all processes that are associated with the Lockergoga malware as soon as they are detected.
Despite its impressive capabilities, the Lockergoga malware succumbs to the power of anti-malware software. Part of the reason is because cybersecurity researchers have had the time to study the virus and its modus operandi, which makes it an easy target for removal.
You might have read somewhere that the ransom note warns against the shutting down of your computer. Well, you should not take this advice into consideration given that at some point, you will have to run your computer on Safe Mode with Networking as that is the most effective way of dealing with the malware threat.
That said, you also need to clear your device of any temp files, downloads, browsing history, and all other forms of clutter because malware entities, including the Lockergoga (which resides in the temp folder) hide in such places. A PC repair tool will make it easier for you to do this.
As part of this Lockergoga removal guide, we will offer a tip on how many organizations have managed to ward off an attack by the Lockergoga malware. They have simply updated their systems and taken advantage of the security patches provided by Microsoft. Thus, if you want to keep the ransomware at bay, start by doing the same.