Norsk Hydro LockerGoga Update


March 29, 2019

I wrote a bit last week about Norsk Hydro’s encounter with LockerGoga, a newish form of Ransomware. has posted an insightful look at LockerGoga that I found to be rather interesting. The article makes six key revelations regarding the strain of ransomware. I thought I’d offer my own take on them here.

They are as follows:

1. LockerGoga Changes Passwords

According to Vijayan, once LockerGaga infects a system, it changes the user account passwords to “HuhuHUHHoHo283283@dJD.”

By changing the password, LockerGoga complicates any local intervention that an InfoSec pro might be trying to perform to save the endpoint from encryption.

2. End-Users are Forcibly Booted from the System as LockerGoga Takes Hold

I guess the ransomware’s developer is trying to limit the number of countermeasures a system might have in place to defend itself from an attack like this.

However, it’s sort of a silly decision, especially considering the infected end-point can’t display a ransom note to the end-user if they’re not logged in. If anything this makes LockerGoga a bit more destructive than it should be to leverage it as a money-making tactic properly.

3. LockerGoga Does not Leverage the Infected End-Point’s Network

Where more traditional ransomware programs might leverage an infected end-point’s network for things like commands, communication, and/or propagation (more on this next), LockerGoga avoids it altogether.

LockerGoga will actually disable any and all network points it finds on an end-point when installing itself. Security researchers have noticed the addition of some network capabilities in more recent examples of LockerGoga, so this might change shortly.

4. LockeGoga Doesn’t Propagate

Weird, right? But apparently, that’s the case. LockerGoga once installed on an end-point doesn’t do much other than encrypt the files its find there and then wait to be decrypted after somebody pays the ransom.

That’s unusual and not typical behavior from ransomware. According to researchers from Palo Alto Networks, LockerGoga is manually copied from end-point to end-point via server message protocols.

Like I mentioned in No. 3, this might be changing shortly. As of right now though LockerGoga is installed MANUALLY by Bad Actors who might have access to your system.

5. It’s Designed Specifically for Targeted Attacks

As I’ve already established, LockerGoga is a bizarre bit of code. It doesn’t propagate itself, and it doesn’t utilize any form of network interconnectivity that a more highly developed ransomware would.

That could actually be LockerGoga’s secret sauce. By being so radically different from other ransomware, LockerGoga can both evade more traditional machine learning and A.I. countermeasures, especially when leveraged by an attacker who has complete access to their target’s system and has managed to remain undetected.

6. It’s trying to pass itself off as a more well-known/sophisticated ransomware

Simply put, LockerGoga wants people to think it’s CryptoLocker. And at first glance it appears to be similar, all the way down to the ransom note it delivers to an end-user after their system is encrypted.

However, when comparing the two, LockerGoga apparently has some shoddy work behind it, making it both less advanced but more dangerous than CryptoLocker. Some of the bugs found in LockerGoga’s code directly relate to its decryption capabilities, meaning that even after an end-point is decrypted, LockerGoga might strike again because of how unstable it is.


I’m not going to pretend I know more about the situation than anybody else or that I know the motive behind the attackers. However, my hot take on the issue is this:

Whoever developed LockerGoga knows enough about ransomware to be dangerous but not necessarily enough to be successful in its development and deployment. That said, there’s evidence to suggest that whoever’s behind LockerGoga is learning at an alarming pace and there’s a reason to believe any subsequent version of this ransomware will cause chaos 10x the amount that it already has.

Only time will tell.

Carl Keyser is the Content Manager at Integris.

Keep reading

Strong Cybersecurity Postures: How to Unleash their Power

Strong Cybersecurity Postures: How to Unleash their Power

In the vast digital landscape where virtual dragons and sneaky trolls roam a strong cybersecurity posture has never been more important. Imagine a band of modern-day knights led by our protagonist, Alex. Armed with a trusty laptop and a cup of coffee, Alex navigates...

How to Spot a Phishing Attack in 2023

How to Spot a Phishing Attack in 2023

In 2023 cyber threats lurk behind every tree trunk in today's digital jungle, and cybersecurity awareness is more critical than ever. Among the craftiest of these threats are phishing attacks. Phishing attacks are cunningly engineered with social manipulation at their...

How to Choose an IT Consultant in Boulder, CO

Regardless of industry size or type, Boulder IT consultants play a massive role in the way companies in the Boulder area do business. While most companies may have their own in-house IT department, many of these departments are small and cannot handle all the...